[go: up one dir, main page]

US20030039234A1 - System and method for secure network roaming - Google Patents

System and method for secure network roaming Download PDF

Info

Publication number
US20030039234A1
US20030039234A1 US10/224,226 US22422602A US2003039234A1 US 20030039234 A1 US20030039234 A1 US 20030039234A1 US 22422602 A US22422602 A US 22422602A US 2003039234 A1 US2003039234 A1 US 2003039234A1
Authority
US
United States
Prior art keywords
pgn
mobile
network
key
ipsec
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US10/224,226
Other versions
US7389412B2 (en
Inventor
Mukesh Sharma
Christopher Skiscim
Philip Roberts
Luis Sanchez
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Syniverse Technologies LLC
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US09/928,290 external-priority patent/US20030031151A1/en
Application filed by Individual filed Critical Individual
Priority to US10/224,226 priority Critical patent/US7389412B2/en
Assigned to MEGISTO SYSTEMS reassignment MEGISTO SYSTEMS ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ROBERTS, PHILIP, SANCHEZ, LUIS, SHARMA, MUKESH, SKISCIM, CHRISTOPHER
Priority to AU2002326642A priority patent/AU2002326642A1/en
Priority to PCT/US2002/025832 priority patent/WO2003015360A2/en
Publication of US20030039234A1 publication Critical patent/US20030039234A1/en
Assigned to SKYLEAD ASSETS LIMITED reassignment SKYLEAD ASSETS LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MEGISTO SYSTEMS, INC.
Application granted granted Critical
Publication of US7389412B2 publication Critical patent/US7389412B2/en
Assigned to SYNIVERSE TECHNOLOGIES, INC. reassignment SYNIVERSE TECHNOLOGIES, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SKYLEAD ASSETS LIMITED
Assigned to SYNIVERSE TECHNOLOGIES, LLC reassignment SYNIVERSE TECHNOLOGIES, LLC CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SYNIVERSE TECHNOLOGIES, INC.
Assigned to BARCLAYS BANK PLC reassignment BARCLAYS BANK PLC SECURITY AGREEMENT Assignors: SYNIVERSE TECHNOLOGIES, LLC
Assigned to BARCLAYS BANK PLC, AS ADMINISTRATIVE AGENT reassignment BARCLAYS BANK PLC, AS ADMINISTRATIVE AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SYNIVERSE TECHNOLOGIES, LLC
Assigned to SYNIVERSE TECHNOLOGIES, LLC reassignment SYNIVERSE TECHNOLOGIES, LLC TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENTS Assignors: BARCLAYS BANK PLC, AS COLLATERAL AGENT
Assigned to SYNIVERSE TECHNOLOGIES, LLC reassignment SYNIVERSE TECHNOLOGIES, LLC TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENTS Assignors: BARCLAYS BANK PLC, AS COLLATERAL AGENT
Assigned to BARCLAYS BANK PLC, AS COLLATERAL AGENT reassignment BARCLAYS BANK PLC, AS COLLATERAL AGENT NOTICE AND CONFIRMATION OF GRANT OF SECURITY INTEREST IN PATENTS Assignors: SYNIVERSE TECHNOLOGIES, LLC
Adjusted expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/20Manipulation of established connections
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/02Inter-networking arrangements

Definitions

  • the invention relates generally to network systems and more particularly to communications between network peers across wireless local area networks (WLANS) as well as across a radio access network (RAN).
  • WLANS wireless local area networks
  • RAN radio access network
  • Wired Equivalent Privacy For wireless LAN communications, the 802.11 standard specifies the Wired Equivalent Privacy (WEP) in order to address the security issues, primarily protecting data confidentiality, inherent in this technology.
  • WEP Wired Equivalent Privacy
  • the WEP protocol is an international standard and widely deployed. Unfortunately, it has been shown that WEP fails to achieve its data confidentiality goals leaving users vulnerable to a number of different attacks.
  • a wireless data network process and system are provided based on a network with prior network-based authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN).
  • This network with prior authentication can be for example a General Packet Radio Service (GPRS) network (also known as 3 G) or other similar network where the MN has strong authentication already established (e.g., an account with a wireless service provider).
  • GPRS General Packet Radio Service
  • the method and system establish and use an authentication mechanism between the MN and the PGN using the network connection.
  • An encrypted channel is then set up between the MN and the PGN based on authentication established with the authentication mechanism.
  • Configuration data is sent from the PGN to the MN using the encrypted channel.
  • the configuration data may then be used by the MN for secure communication to and from the MN via the PGN. Any network connected to the PGN may then be used.
  • the authentication mechanism advantageously includes generating a public/private key pair and storing the pair with names and sending from the MN a message containing its public key and key name to the PGN via the authenticated network connection.
  • the PGN then sends a message containing the PGN's public key and public key name to the MN.
  • the MN receives the PGN's public key and stores this PGN public key at the client.
  • the PGN and MN use their public keys for mutual authentication when negotiating an encrypted channel.
  • Mobile IP and IPsec configuration data are sent from the PGN to the MN using an encrypted channel based on the exchanged public keys and advantageously includes providing Mobile Internet Protocol (MIP or Mobile IP) configuration data and the IP Security protocol (IPsec) configuration data.
  • MIP or Mobile IP Mobile Internet Protocol
  • IPsec IP Security protocol
  • the Internet Key Exchange (IKE) protocol may be used with the MN requesting the Encapsulated Security Protocol for establishing a security association (SA) with the PGN.
  • SA security association
  • the MN may then connect to a non-GPRS wireless local network and establish a MIP session across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
  • ESP IPsec encapsulating security payload
  • a new Mobile IP session key may be obtained as needed by sending a Mobile IP registration request with a Vendor Specific Extension indicating that a new Mobile IP session key is desired, receiving, validating and authenticating this message at the PGN and generating a new Mobile IP session key and encrypting it with the MN's public key.
  • the MN the extracts the encrypted value and decrypts the encrypted value with the private key of the MN.
  • the registration reply may be with an authentication value based on the previous Mobile IP session key.
  • This invention solves the inherent security flaws of establishing network connections using WEP by making use of the Mobile IP standard [C. Perkins, IP Mobility Support, RFC 3220, Internet Engineering Task Force, January 2002] in conjunction with the IP Security (IPsec) protocol suite within the GPRS/UMTS infrastructure.
  • IPsec IP Security
  • the invention allows for seamless and secure roaming among wireless LANs and GPRS/UMTS networks. Indeed, the invention allows for secure roaming where the local access network is deemed insecure.
  • the invention makes use of a network infrastructure node, the packet gateway node (PGN) that is capable of function as a Gateway GPRS Serving Node network element as well as a Mobile IP Home Agent.
  • PPN packet gateway node
  • a mobile node or MN can be connected to the Internet by using wire or wireless network interfaces.
  • the device may change its network attachment each time it moves to a new link. It is therefore required that efficient protocols will be able to inform the network about this change in network attachment such that the internet data packets will be delivered in a seamless way (without any disruption of communication connection) to the new point of attachment.
  • Mobile IP Mobile IP
  • Mobile IP IETF Mobile IP IETF working group.
  • Mobile IP is a scalable mechanism designed to accommodate device mobility within the Internet. It enables a mobile device to change its point of attachment to an IP-based network (e.g. the Internet). (with the help of Foreign Agents and a Home agent) while keeping an unchanging IP address called its Home IP address.
  • Mobile IP does not require changes in the existing routing infrastructure and works well for mobility across homogeneous media and heterogeneous media.
  • the basic idea behind the Mobile IP protocol is for a mobile device or mobile node to always keep a Home IP address, irrespective of its current attachment to the Internet. Packets addressed to the MN will always go via the home network intercepted by the home agent and then are forwarded on from there as necessary. When the mobile device is on its home network, it acts just like any other stationary device. When it is away from home, visiting a foreign network, the device registers its temporary location (care-of address or COA) with the home agent situated on mobile's home network, which acts as an anchor point for the MN.
  • COA care-of address
  • Mobile IP can use two types of care of address: a foreign agent care-of address (an address from/of the foreign agent located in the visited network), and a co-located care-of address (an externally obtained care of address either through the Dynamic Host Configuration Protocol (DHCP) or any other means).
  • a foreign agent care-of address an address from/of the foreign agent located in the visited network
  • a co-located care-of address an externally obtained care of address either through the Dynamic Host Configuration Protocol (DHCP) or any other means.
  • DHCP Dynamic Host Configuration Protocol
  • the MN registers itself i.e., its location with the home network i.e. home agent either directly or through a foreign agent's help.
  • the HA After a successful registration, the HA will intercept packets destined to the MN device in its home network, and forward them to the MN's current point of attachment. The forwarding is done by “tunneling” the packets to the MN care-of address by encapsulating the original IP packet in another IP packet destined to the MN's care-of address. At the end of the tunnel, either at the foreign agent or at the MN itself, the packets are de-encapsulated thus providing the original IP packet for delivery to the MN. Packets originating from the MN are sent in the same way as from any other stationary host (except in the case of a reverse tunnel). To provide confidentiality between the MN and the Home Agent, the IPsec protocol is used.
  • the Internet Security Protocol is a suite of protocols designed to provide security services for the Internet Protocol (IP).
  • IP Internet Protocol
  • extensive use is made of mathematical algorithms for strong authentication and strong encryption. These algorithms are computationally intensive and constitute a significant processing overhead on data exchange. Consequently, specialized hardware is often used to accelerate the computations.
  • the full set of authentication and encryption algorithms, as well as protocols supported by IPSec are well specified and can be found, for instance, in “The Big Book of IPSec RFCs”, Morgan Kaufmann, 2000.
  • the IPSec protocol suite provides an architecture with three overall pieces.
  • An authentication header for IP lets communicating parties verify that data was not modified in transit and, depending on the type of key exchange, that it genuinely came from the apparent source.
  • An encapsulating security payload (ESP) format for IP is used that encrypts data to secure it against eavesdropping during transit.
  • ESP encapsulating security payload
  • a protocol negotiation and key exchange protocol, the Internet Key Exchange (IKE) is used that allows communicating parties to negotiate methods of secure communication. IKE implements specific messages from the Internet Security Association and Key Management (ISAKMP) message set.
  • a security association (SA) is established between peers using IKE. The SA groups together all the things a processing entity at the peer needs to know about the communication with the other entity. This is logically implemented in the form of a Security Association Database.
  • the SA under the IPSec specifies:
  • the SA provides a security channel to a network peer wherein the peer can be an individual unit, a group another network or network resource.
  • Various different classes of these security channels may be established with SAs.
  • IPSec network entities can build secure virtual private networks.
  • Using the ESP a secure virtual private network service called secure tunneling may be provided wherein the original IP packet header is encapsulated within the ESP.
  • a new IP header is added containing the routable address of a security gateway allowing the private, non-routable IP addresses to be passed through a public network (the Internet), that otherwise wouldn't accept them. With tunneling the original source and destination addresses maybe hidden from users on the public network.
  • the IPSec protocol is operated between two entities in an IP-based network. In order for the entities to securely exchange data, they must
  • the protection can be data origin authentication, data integrity or data confidentiality, or some combination.
  • each entity will use as well as other parameters.
  • the two entities authenticate one another and establish an ISAKMP Security Association and encryption/decryption key for exchange of shared, secret keys to be used for data exchange.
  • the ISAMKP SA is used for securely passing messages that control the IPSec protocol.
  • Steps 1 through 3 result in a IPSec Security Association (SA), distinct from the ISAKMP SA, between the two entities. These steps are roughly equivalent to the Internet Key Exchange protocol (IKE—Quick Mode, see RFC 2409). IPSec Security Associations are unidirectional. Thus if entity X and entity Y have completed an IKE, then entity X has a security association with entity Y and entity Y has a security association with entity X. These two associations are distinct and each carries a 32-bit number called the Security Parameter Index (SPI) that uniquely identifies the IPSec SA. The SPI is carried with each data packet exchanged between the two entities and allows the receiver to identify the set of previously agreed algorithms and keys.
  • SA IPSec Security Association
  • entity X would place entity Y's SPI in packets destined for entity Y, and vice versa.
  • the recipient typically uses the SPI as an index into a security association database for retrieval of all information related to the SA.
  • the SA is refreshed with a new set of keying material. If either side wishes to remove an existing SA, they may send a delete notification for the specific SA. In the case when a failure causes an SA to become unreachable, it is particularly advantageous to inform the peer of this failure through a delete notification. This prevents the peer from sending data packets which would need to be discarded because of the lack of an ingress SA. This conserves processing resources at each peer.
  • a problem with Mobile IP (MIP) and IPsec in seamless roaming is that configuration data such as IPsec authorization key and the Mobile IP session key and policy attributes need to be in place a priori.
  • Mobile IP presupposes a secret key, namely the authentication key (also known as a session key) shared between the MN and the PGN, as well as other configuration data.
  • IPsec presupposes a method by which the MN can be authenticated (shared key, X.509 certificate, etc.). Provisioning and managing this data in a non-automated fashion presents a very large administrative burden on an operator wishing to deploy this technology. While X.509 public key certificates provide one avenue for portable authentication credentials, their use would require provisioning each MN with a signed certificate as well as a reliable, worldwide public key infrastructure. Such an infrastructure is not presently in existence.
  • the invention also solves the problem of automating the configuration of the MN to make use of the seamless roaming technology.
  • a shared secret MIP session key (required to be 128 bits) must be used to authenticate all Mobile IP messages, including registration messages.
  • the Mobile IP Specification assumes such a shared key exists but offers no guidance on its distribution.
  • the shared key is ‘pre-programmed’ manually. This entails programming the key for each MN to be used or provisioning each MN with a public key certificate. This does not scale to large numbers of MNs very well.
  • the invention uses the network-based authentication mechanism inherent in the GPRS/UMTS network as a trusted means for authenticating a MN.
  • the MN wishes to establish a session to the PGN for the purposes of transiting data across the Internet, it must first be authenticated by the GPRS network. This authentication occurs prior to any control or data traffic arriving at the PGN.
  • the PGN is assured that the MN is permitted to use its services.
  • the IPsec authentication key and the Mobile IP session key are required to be shared secrets between the MN. To effect automatic configuration these would need to be sent unencrypted from the PGN.
  • the invention provides a means for receiving a MN's public key (generated by the MN), and sending the PGN's public key to the MN.
  • This public key exchange occurs only once.
  • the public keys form the basis by which the PGN and MN can mutually authenticate one another (e.g. a challenge-response protocol) and set up an encrypted session through which shared secrets and other configuration data can be sent or updated.
  • SSH Secure Shell
  • IETF Internet Engineering Task Force
  • the protocol is described collectively in the IETF draft Request for Comment documents: draft-ietf-secsh-architecture-12.txt draft-ietf-secsh-connect-15.txt, draft-ietf-secsh-transport-14.txt, draft-ietf-secsh-userauth-15.txt.
  • SSH is a protocol that provides mutual authentication using (among other methods) public keys, transport layer security and various functions including securing file transfers, copying, moving or deleting files securely.
  • the system provides the encryption algorithms:3DES,Twofish,Blowfish,Arcfour,CAST128, AES and the secure hash algorithms:MD5 and SHA1 as well as public key operations:Diffie-Hellman and DSA,PGP key support.
  • the system provides multiple channel support with public key authentication support and client and server authentication, X11 connection forwarding, TCP/IP port forwarding, TCP wrapper support, automatic public key upload to server as well as other features.
  • the invention uses the Secure Shell Protocol to effect automatic configuration for both Mobile IP and IPsec following the basic steps:
  • a one time SSH configuration is provided where the MN and the PGN exchange public keys over a network such as the GPRS network.
  • a network such as the GPRS network.
  • GPRS network advantageously authenticates the MN for using its services.
  • the MN then establishes an authenticated, encrypted session with the PGN, authenticated through the exchanged public keys, and effects a transfer of user specific configuration data.
  • Configuration includes, but is not limited to, the IPsec authentication key and the Mobile IP session key.
  • IPsec ESP MIP sessions across non-GPRS networks (e.g., IEEE 802.11, etc.) are tunneled using IPsec ESP.
  • An Internet Key Exchange (IKE) is used to create and update the IPsec Security Association (SA) when it expires. This is part of the IPsec standard.
  • SA IPsec Security Association
  • the previously configured IPsec authentication key is used with IKE to strongly authenticate the MN.
  • the MN requires a new Mobile IP session key a mechanism is provided for refreshing this data.
  • the mechanism makes use of standard Mobile IP messaging.
  • the MIP standards do not impose a lifetime on the MIP session key, the invention allows changing of the MIP session key according to a configured lifetime (typically time duration or volume of traffic expressed in bytes exchanged). This affords greater security for Mobile IP.
  • FIG. 1 is a schematic diagram showing the network infrastructure system according to the invention.
  • FIG. 2 is a schematic diagram showing a first phase of the process according to the invention.
  • FIG. 3 is a schematic diagram showing a second phase of the process according to the invention.
  • FIG. 4 is a schematic diagram showing a third phase of the process according to the invention.
  • FIG. 5 is a schematic diagram showing a fourth phase of the process according to the invention.
  • FIG. 6 is a schematic diagram showing a fifth phase of the process according to the invention.
  • FIG. 7 is a schematic diagram showing a sixth phase of the process according to the invention.
  • FIG. 8A is a first part of a diagram showing an example of the process according to the invention.
  • FIG. 8B is a second part of a diagram showing of FIG. 8A;
  • FIG. 9A is a User Datagram Protocol (UDP) datagram showing payload attributes of a datagram
  • FIG. 9B is a User Datagram Protocol (UDP) datagram showing payload attributes of a datagram.
  • UDP User Datagram Protocol
  • a mobile node (MN) 1 is provided in the form of a laptop computer, a PDA or other mobile device.
  • the MN 1 includes a radio frequency transceiver. This can be used with a WLAN 3 .
  • the WLAN 3 includes normal LAN components such as a server connected to nodes via wires such as twisted pair wires and operating using Ethernet (carrier sense multiple access/collision detection CSMA/CD or IEEE 802.3). With a WLAN at least some of the nodes are formed of an MN 1 with an access point (AP) 5 .
  • AP access point
  • the AP 5 includes a radio transceiver connected by wires (such as twisted pair wires) to a hub, switch or router of the LAN and connected from this hub to the server.
  • wires such as twisted pair wires
  • the wireless connection between AP 5 and MN 1 uses the IEEE 802.11 standard (other public standards or proprietary wireless node or hot spot systems and standards may be used instead).
  • the MN 1 may also be used with a radio access network (RAN) generally designated 10 .
  • the RAN 10 includes a radio core 4 which includes the physical lines (or network) running from a serving GPRS support node (SGSN) 2 to the gateway GPRS support node, provided here as a packet gateway node (PGN) 7 .
  • the PGN 7 handles data traffic to and from mobile subscribers via RAN 10 .
  • Data traffic arriving from, or destined to users on the RAN 10 must use one or more data communications protocols specific to mobile users and the RAN technology.
  • Traffic arriving from, or destined for the IP Router Network (e.g. the Internet) 6 can use a variety of IP-based protocols, sometimes in combination.
  • the architecture of the PGN is able to provide protocol services to the RAN 10 and to the IP Network 6 , scale to large numbers of users without significant degradation in performance and provide a highly reliable system.
  • the PGN 7 also provides for management of mobile subscribers (e.g., usage restrictions, policy enforcement) as well as tracking usage for purposes of billing and/or accounting.
  • the PGN 7 may be provided in various forms and preferably is provided as disclosed in application Ser. No. 09/811,204 and 09/816,883 (the content of application Ser. No. 09/811,204 and 09/816,883 are hereby incorporated by reference).
  • the PGN 7 can function as both a Mobile IP home agent (HA) as well as a GGSN.
  • HA Mobile IP home agent
  • the SGSN 2 is connected to one or more cellular towers (radio frequency towers) via a Mobile Switching Center for radio communications for a particular cellular area.
  • the radio core 4 provides the physical connection to the PGN 7 . This allows users of the radio core 4 to access content from the Internet 6 , such as through a host 8 .
  • the invention uses the infrastructure shown in FIG. 1 to provide a secure communications system and method including secure communications through the WLAN 3 . Further, the invention allows for roaming capabilities such that the MN 1 is provided with secure access possibilities both through the WLAN 3 and through the RAN 4 .
  • the MN 1 wishes to access content at some target host 8 residing on, or accessible through the Internet 6 using the wireless technology of the WLAN 3 .
  • the MN 1 may access the WLAN 3 using 802.11 technology (or some other wireless node technology) and through the AP 5 , traverse the Internet 6 to reach the target host 8 .
  • this connection is not secure.
  • the MN 1 may access the target host 8 by establishing a connection across an airlink to the SGSN 2 through the RAN 4 to the PGN 7 . Once this link is established, the MN 1 can reach the Target Host through the Internet 6 .
  • the airlink, SGSN 2 , Radio Core or RAN 4 and PGN 7 constitute elements of a GPRS/UMTS network 12 .
  • Data flowing across the airlink is secured with encryption.
  • the link from the SGSN 2 through the Radio Core 4 into the PGN 7 traverses a private network and this provides some measure of security.
  • the MN 1 desires the ability to roam between the GPRS/UMTS network 12 to access the target host 8 and the WLAN 3 to access the target host 8 in a secure manner.
  • this invention makes use of Mobile IP for managing mobility and IPsec for managing security.
  • Mobile IP Mobile IP
  • James D. Solomon Prentice Hall, 1998.
  • the full specification for IPsec can be found in “The Big Book of IPsec RFCs”.
  • the invention allows users to roam from GPRS to WLAN using the PGN 7 as the home agent with the connection via WLAN 3 providing the care of address.
  • the MN 1 is provided with the address of the PGN 7 and requests configuration data (including an IPsec authentication key and a Mobile IP session key) from the PGN 7 using Secure Shell.
  • the PGN 7 and the MN 1 exchange keying and configuration data secured using exchanged keys. Keys may be exchanged using either authenticated key exchange protocols or unauthenticated key exchange protocols. Since the MN 1 is authenticated via the mechanisms of GPRS, an unauthenticated key exchange suffices.
  • Examples of such key exchange protocols are Diffie-Hellman, the MVQ protocol or its one-pass variant (without certificates), or the Key Exchange Algorithm can be used to establish the shared key (cf., Wilson and Menezes, “Authenticated Diffie-Hellman Key Agreement Protocols”, Proc. Selected Areas in Cryptography, Lecture Notes in Computer Science, 1556, (1999), 339-361.)
  • the preferred embodiment makes use ofthe Secure Shell Protocol as implemented, for instance, in the Secure Shell, Inc. commercial product as follows:
  • a minimal configuration file for the Secure Shell protocol is provided at the MN 1 .
  • This configuration file is used by the command line ssh applications, scripts or executable programs. In a Windows Operating System environment this file must be named ssh 2 _config and must reside in the directory C: ⁇ Documents and Settings ⁇ username> ⁇ Application Data ⁇ SSH.
  • a client application handling the overall configuration of Mobile IP, IPsec and SSH at the MN 1 insures that the configuration file is consistent with the configuration shown above.
  • the system of the invention can then provide for a public key exchange.
  • the MN 1 generates a public/private key pair (RSA/DSA) and stores it locally in the prescribed SSH protocol format.
  • RSA/DSA public/private key pair
  • the MN establishes a GTP (GPRS Tunneling Protocol (3GPP)) session (across the GRPS network) at a configured Access Point Name (APN) (this resolves to an IP address) used exclusively for public key exchange.
  • GTP GPRS Tunneling Protocol
  • API Access Point Name
  • the MN may use other standard protocols such as the Service Location Protocol (see RFC 2165) to discover the address needed for obtaining configuration data.
  • UDP User Datagram Protocol
  • FIG. 9A An example payload of the datagram is shown in FIG. 9A where: Type 1 indicating a configuration request from the client; Timestamp 32-bit value of milliseconds since midnight UT.; Fname Len Length (in bytes) of filename of the public key file; Fname The name of the public key file (in ASCII); Key File The length (in bytes) of the public key file; Len Contents The content of the public key file.
  • the MN receives the a UDP datagram at a configured UDP port as shown in FIG. 9B where: Type 2 indicating a configuration response from the PGN; Timestamp 32-bit value of milliseconds since midnight UT. Fname Len Length (in bytes) of filename of the PGNs public key file; Fname The name of the PGNs public key file (in ASCII); Key Fil Len The length (in bytes) of the public key file; Contents The content of the public key file.
  • the client application at MN 1 insures that the timestamp is strictly increasing and within a predefined tolerance; otherwise the client silently drops the datagram. Otherwise, the MN 1 application inspects the name of the public key file and verifies that it conforms to the following format:
  • ⁇ port> will indicate the TCP port used for all subsequent SSH transactions.
  • the value ⁇ IP Address> is the dotted decimal IP address to be used for subsequent SSH transactions.
  • An example of a public key file named key_ 22 _ 192 . 168 . 20 . 229 .pub is shown below.
  • the file name communicates the fact that SSH transactions are sent to the IP address 192 . 168 . 20 . 229 at port 22 .
  • the client application at the MN 1 will store this IP address and TCP port for subsequent SSH transactions.
  • the client application modifies its SSH configuration file to reflect the port value communicated as part of the public key file name.
  • the contents of the key file is stored in a file with the Fname as the file name. In the Windows Operating System, this will be in the directory
  • the MN 1 is in possession of the PGN's public key and the PGN 7 is in possession of the MN's public key.
  • the MN and PGN 7 can now mutually authenticate each other using the SSH protocol or for example, a challenge-response protocol. This forms the basis by which the MN 1 can establish an encrypted session with the PGN and securely receive the requisite configuration data as follows:
  • the MN 1 retrieves its configuration file from the PGN 7 by issuing the following secure copy command via a script file or incorporated within a program:
  • This command embedded in a script or called from a program, establishes an encrypted session between the PGN 7 and the MN 1 (authenticated with the exchanged public keys) and securely copies the file ⁇ username>.cnf from the PGN to the directory (/umdir/) with the same file name using the Blowfish cipher. Other ciphers are available.
  • the content of the configuration file is, minimally: Configuration Version 16 bits Mobile IP Version 8 bits Mobile IP Home Address Dotted decimal representation Mobile IP SPI 32 bits MIP Session Key 128 bits MIP Key Lifetime (seconds) 32 bits MIP Key Authentication Method see Network Access Identifier Length 8 bits Network Access Identifier variable (see RFC2486) IPsec authorization key 1024 bits IPsec Gateway Address Dotted decimal representation
  • Each attribute—value pair occupies a single section of the file. A single blank line separates sections of the file.
  • the file is Base64 encoded. Other formats, such as XML are possible.
  • the MN 1 decodes each value and verifies the lengths of each entry in the configuration file to insure compliance with the above specifications.
  • the MN then extracts the required configuration values for Mobile IP and IPsec use.
  • the MN 1 connects through the WLAN 3 and requests a local care-of address (COA) from a DHCP server on the Internet.
  • COA is used for the Mobile IP protocol.
  • the DHCP server then sends a COA across the Internet and across the WLAN 3 .
  • the MN 1 sends a Mobile IP registration request, authenticated with the configured Mobile IP session key, to the HA which is hosted in PGN 7 .
  • the HA validates and authenticates the message then sends a registration reply authenticated with the same configured session key.
  • IKE is used to set up an IPsec tunnel established between the PGN 7 and the MN 1 using the COA to securely transit traffic across the WLAN 3 .
  • the secure transmissions has authentication, encryption and message integrity, indicated by a Message Integrity Code (MIC).
  • MIC Message Integrity Code
  • FIG. 5 shows the state of the process and system according to the invention wherein the MN 1 sends packets to the target host 8 via the HA hosted by PGN 7 , and also by the Internet 6 and the WLAN 3 with a access point. The entire data exchange across the WLAN is secured by IPsec. Similarly, target host 8 sends packets to MN 1 via the HA hosted on PGN 7 , via the Internet and via WLAN 3 .
  • FIG. 6 shows the subsequent state wherein the MN 1 can roam from the WLAN 3 to the GPRS.
  • the MN 1 sends a Mobile IP registration request to the HA authenticated using the configured Mobile IP session key.
  • the COA is used while connected to the WLAN 3 .
  • the MN 1 leaves the WLAN 3 and indicates via a registration request that MN 1 is back home on the GPRS/UMTS network.
  • the HA then sends a Mobile IP registration reply back to the MN 1 confirming its arrival to the home network.
  • FIG. 7 shows further data transfer using the GPRS. Packets from the MN 1 to the target host 8 go via the GPRS only. Packets from the target host 8 now go to the MN 1 via the GPRS only. However, the MN 1 can roam including again connecting to the WLAN 3 .
  • FIGS. 8A and 8B show a preferred method according to the invention. This preferred method is as follows:
  • the MN 1 performs a public key exchange across the GPRS/UMTS network with the PGN 7 to establish the authentication values used by the Secure Shell protocol.
  • Step 82 the MN 1 uses the secure copy facility of Secure Shell to obtain IPsec and Mobile IP configuration data.
  • the secure copy is authenticated using the public keys exchanged in Step 80 .
  • the MN 1 and PGN 7 are in possession of a shared secret session key used by Mobile IP as well as a shared secret IPsec authentication key used for IKE authentication.
  • the MN 1 establishes a connection on Wireless LAN 3 at step 83 and requests a Mobile IP Care-Of-Address (COA) from a Dynamic Host Configuration Protocol (DHCP) server on the Internet or a local server.
  • COA Mobile IP Care-Of-Address
  • DHCP Dynamic Host Configuration Protocol
  • the DHCP is based on device addresses and is used to allocate IP addresses and other configuration information automatically for networked systems.
  • the MN 3 receives the COA across the Wireless LAN 3 .
  • the MN 1 sends a Mobile IP registration request to the Home Agent (HA) hosted in the PGN 7 informing it that it is on a visited (foreign) network.
  • the PGN 7 receives the Mobile IP registration request at step 90 and authenticates the message using the 128-bit key established in step 82 and sends a Mobile IP registration reply to the MN 1 .
  • the MN 1 then negotiates an IPsec ESP at step 91 using the IPsec authentication key established in step 82 .
  • the MN 1 then sends packets to the target host 8 using the ESP encapsulated within the Mobile IP protocol to the PGN 7 .
  • the PGN 7 de-encapsulates the Mobile IP protocol and the ESP, and forwards the packets to the target host 8 .
  • the target host 8 replies with packets to the PGN 7 at step 92 .
  • the PGN 7 then forwards these packets using the ESP encapsulated within the Mobile IP protocol to the MN 1 .
  • the MN 1 terminates the connection with the PGN 7 and detatches from the WLAN at step 94 .
  • step 96 when the MN 1 roams back into the GPRS/UMTS network, the MN 1 sends a Mobile IP registration request to the Home Agent hosted in the PGN 7 indicating that it is back on the home network.
  • the PGN 7 sends a Mobile IP registration reply to the MN 1 using the 128-bit session key obtained in Step 82 within the reply message.
  • the system and method of the invention provides several advantages for wireless secure communications, including the ability to securely roam between, for example, a WLAN and a GPRS/UMTS connection with no manual pre-programming of a Mobile IP authentication key or an IPsec authentication key.
  • the system and method provide a solution to the security problem inherent in wireless LANs or other networks deemed insecure using purely standards based mechanisms.
  • the system and method are particularly advantageous using the described PGN 7 based on its function as both a Mobile IP home agent as well as a GGSN.
  • the system and method of the invention provide conveniences, particularly as to obtaining the 128-bit Mobile IP session key and the IPsec authentication key without the burdensome step of manual pre-programming.
  • user authentication is handled by the GPRS/UMTS network before the PGN ever sees the traffic. Therefore, the system allows one to perform a public key exchange using any method to establish a large key and use this to authenticate a secure session for configuring an IPsec shared secret authentication key and a Mobile IP session key as well as other configuration data. Manual provisioning of the authentication values is therefore not required.
  • the entire process can be automated with a script or a program.
  • the configuration need not remain static.
  • the MN 1 can refresh its configuration data securely using the exchanged public keys.
  • the MN 1 Prior to the expiration of the Mobile IP session key, the MN 1 signals its desire to refresh its Mobile IP session key by sending a Mobile IP Registration Request with a Vendor Specific Extension (see RFC 3115 ).
  • the vendor type in this extension indicates that a Mobile IP session key refresh is desired; the vendor value field is empty.
  • the PGN 7 When the PGN 7 receives, validates and authenticates this message, it generates a new Mobile IP session key and encrypts it with the MN's public key. The PGN 7 replies to the MN 1 with a Mobile IP Registration Reply with the vendor type indicating a new Mobile IP session key and the vendor value equal to the new encrypted Mobile IP session key. Note that this registration reply carries an authentication value based on the previous Mobile IP session key.
  • the MN 1 receives this registration reply, validates and authenticates this message.
  • the MN 1 extracts the encrypted value and decrypts it with its private key.
  • Both the MN 1 and PGN 7 use this value to authenticate subsequent Mobile IP messages. This gives the solution according to the system and method of the invention stronger security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A wireless data network process and system are provided based on a network with prior network-based authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN). The method and system establish and use an authentication mechanism between the MN and the PGN using the network connection. An encrypted channel is then set up between the MN and the PGN based on authentication established with the authentication mechanism. Configuration data is sent from the PGN to the MN using the encrypted channel. The configuration data may then be used by the MN for communication to and from the MN via the PGN. Any network connected to the PGN may then be used. The authentication mechanism advantageously includes exchanging public keys and then using the public keys to mutually authenticate the MN and PGN. The configuration data sent from the PGN to the MN using the encrypted channel advantageously includes providing Mobile Internet Protocol (MIP) configuration data and the IP Security protocol (IPsec) configuration data. The MN may then connect to a non-GPRS wireless local network and establish a MIP session across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).

Description

    FIELD OF THE INVENTION
  • The invention relates generally to network systems and more particularly to communications between network peers across wireless local area networks (WLANS) as well as across a radio access network (RAN). [0001]
    • BACKGROUND OF THE INVENTION
  • The growth in laptop computers and handheld computing devices (e.g., PDAs) has increased the need for users to seek network connectivity in many different locales. Wireless networks have thus gained popularity because of their convenience. However, security in a wireless networking environment is a serious concern. Because network traffic is broadcast over radio frequencies it becomes very easy for anyone with a proper radio receiver to intercept this traffic for the purpose of gaining vital information or for masquerading as a legitimate user. Protecting these communications is a strong requirement in mobile computing. [0002]
  • For wireless LAN communications, the 802.11 standard specifies the Wired Equivalent Privacy (WEP) in order to address the security issues, primarily protecting data confidentiality, inherent in this technology. The WEP protocol is an international standard and widely deployed. Unfortunately, it has been shown that WEP fails to achieve its data confidentiality goals leaving users vulnerable to a number of different attacks. [0003]
  • These vulnerabilities are well known and documented in, for example, J. R. Walker, “Unsafe at any key size: An analysis of the WEP encapsulations, IEEE document 802.11-00/362, 2001.” and references therein. [0004]
  • These security problems are a significant issue with regard to the use of the WEP. Further, combining the third generation wireless data access protocol General Packet Radio Service (GPRS)/Universal Mobile Telecommunications System (UMTS) to allow secure roaming between these networks is advantageous. Indeed, roaming between GPRS/UMTS networks across networks deemed insecure is a significant problem requiring a solution. [0005]
    • SUMMARY AND OBJECTS OF THE INVENTION
  • It is an object of the invention to provide a process and system that allows a mobile user to securely communicate with a data source such as a web server using networks which do not have sufficient security features, wherein the security is provided with minimal complications as to establishing the secure channel of communications. [0006]
  • According to the invention, a wireless data network process and system are provided based on a network with prior network-based authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN). This network with prior authentication can be for example a General Packet Radio Service (GPRS) network (also known as 3 G) or other similar network where the MN has strong authentication already established (e.g., an account with a wireless service provider). The method and system establish and use an authentication mechanism between the MN and the PGN using the network connection. An encrypted channel is then set up between the MN and the PGN based on authentication established with the authentication mechanism. Configuration data is sent from the PGN to the MN using the encrypted channel. The configuration data may then be used by the MN for secure communication to and from the MN via the PGN. Any network connected to the PGN may then be used. [0007]
  • The authentication mechanism advantageously includes generating a public/private key pair and storing the pair with names and sending from the MN a message containing its public key and key name to the PGN via the authenticated network connection. The PGN then sends a message containing the PGN's public key and public key name to the MN. The MN receives the PGN's public key and stores this PGN public key at the client. The PGN and MN use their public keys for mutual authentication when negotiating an encrypted channel. [0008]
  • Mobile IP and IPsec configuration data are sent from the PGN to the MN using an encrypted channel based on the exchanged public keys and advantageously includes providing Mobile Internet Protocol (MIP or Mobile IP) configuration data and the IP Security protocol (IPsec) configuration data. The Internet Key Exchange (IKE) protocol may be used with the MN requesting the Encapsulated Security Protocol for establishing a security association (SA) with the PGN. The MN may then connect to a non-GPRS wireless local network and establish a MIP session across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP). A new Mobile IP session key may be obtained as needed by sending a Mobile IP registration request with a Vendor Specific Extension indicating that a new Mobile IP session key is desired, receiving, validating and authenticating this message at the PGN and generating a new Mobile IP session key and encrypting it with the MN's public key. The MN the extracts the encrypted value and decrypts the encrypted value with the private key of the MN. The registration reply may be with an authentication value based on the previous Mobile IP session key. [0009]
  • This invention solves the inherent security flaws of establishing network connections using WEP by making use of the Mobile IP standard [C. Perkins, IP Mobility Support, RFC 3220, Internet Engineering Task Force, January 2002] in conjunction with the IP Security (IPsec) protocol suite within the GPRS/UMTS infrastructure. The invention allows for seamless and secure roaming among wireless LANs and GPRS/UMTS networks. Indeed, the invention allows for secure roaming where the local access network is deemed insecure. The invention makes use of a network infrastructure node, the packet gateway node (PGN) that is capable of function as a Gateway GPRS Serving Node network element as well as a Mobile IP Home Agent. [0010]
  • A mobile node or MN can be connected to the Internet by using wire or wireless network interfaces. However due to roaming, the device may change its network attachment each time it moves to a new link. It is therefore required that efficient protocols will be able to inform the network about this change in network attachment such that the internet data packets will be delivered in a seamless way (without any disruption of communication connection) to the new point of attachment. Such a problem is solved by use of the Mobile IP protocol (Mobile IP)—as specified by the Mobile IP IETF working group. Mobile IP is a scalable mechanism designed to accommodate device mobility within the Internet. It enables a mobile device to change its point of attachment to an IP-based network (e.g. the Internet). (with the help of Foreign Agents and a Home agent) while keeping an unchanging IP address called its Home IP address. Mobile IP does not require changes in the existing routing infrastructure and works well for mobility across homogeneous media and heterogeneous media. [0011]
  • The basic idea behind the Mobile IP protocol is for a mobile device or mobile node to always keep a Home IP address, irrespective of its current attachment to the Internet. Packets addressed to the MN will always go via the home network intercepted by the home agent and then are forwarded on from there as necessary. When the mobile device is on its home network, it acts just like any other stationary device. When it is away from home, visiting a foreign network, the device registers its temporary location (care-of address or COA) with the home agent situated on mobile's home network, which acts as an anchor point for the MN. Mobile IP can use two types of care of address: a foreign agent care-of address (an address from/of the foreign agent located in the visited network), and a co-located care-of address (an externally obtained care of address either through the Dynamic Host Configuration Protocol (DHCP) or any other means). Depending on the care-of address type, the MN registers itself i.e., its location with the home network i.e. home agent either directly or through a foreign agent's help. [0012]
  • After a successful registration, the HA will intercept packets destined to the MN device in its home network, and forward them to the MN's current point of attachment. The forwarding is done by “tunneling” the packets to the MN care-of address by encapsulating the original IP packet in another IP packet destined to the MN's care-of address. At the end of the tunnel, either at the foreign agent or at the MN itself, the packets are de-encapsulated thus providing the original IP packet for delivery to the MN. Packets originating from the MN are sent in the same way as from any other stationary host (except in the case of a reverse tunnel). To provide confidentiality between the MN and the Home Agent, the IPsec protocol is used. [0013]
  • The Internet Security Protocol (IPSec) is a suite of protocols designed to provide security services for the Internet Protocol (IP). Within the IPSec protocol, extensive use is made of mathematical algorithms for strong authentication and strong encryption. These algorithms are computationally intensive and constitute a significant processing overhead on data exchange. Consequently, specialized hardware is often used to accelerate the computations. The full set of authentication and encryption algorithms, as well as protocols supported by IPSec are well specified and can be found, for instance, in “The Big Book of IPSec RFCs”, Morgan Kaufmann, 2000. [0014]
  • The IPSec protocol suite provides an architecture with three overall pieces. An authentication header for IP lets communicating parties verify that data was not modified in transit and, depending on the type of key exchange, that it genuinely came from the apparent source. An encapsulating security payload (ESP) format for IP is used that encrypts data to secure it against eavesdropping during transit. A protocol negotiation and key exchange protocol, the Internet Key Exchange (IKE) is used that allows communicating parties to negotiate methods of secure communication. IKE implements specific messages from the Internet Security Association and Key Management (ISAKMP) message set. A security association (SA) is established between peers using IKE. The SA groups together all the things a processing entity at the peer needs to know about the communication with the other entity. This is logically implemented in the form of a Security Association Database. The SA, under the IPSec specifies: [0015]
  • the mode of the authentication algorithm used in the authentication header and the keys to that authentication algorithm; [0016]
  • the ESP encryption algorithm mode and the keys to that encryption algorithm; [0017]
  • the presence and size of (or absence of) any cryptographic synchronization to be used in that encryption algorithm; [0018]
  • how you authenticate communications (using what protocol, what encrypting algorithm and what key); [0019]
  • how you make communications private (again, what algorithm and what key); [0020]
  • how often those keys are to be changed; [0021]
  • the authentication algorithm, mode and transform for use in ESP plus the keys to be used by that algorithm; [0022]
  • the key lifetimes; [0023]
  • the lifetime of the SA itself, [0024]
  • the SA source address; and [0025]
  • a sensitivity level descriptor. [0026]
  • The SA provides a security channel to a network peer wherein the peer can be an individual unit, a group another network or network resource. Various different classes of these security channels may be established with SAs. Using IPSec network entities can build secure virtual private networks. Using the ESP a secure virtual private network service called secure tunneling may be provided wherein the original IP packet header is encapsulated within the ESP. A new IP header is added containing the routable address of a security gateway allowing the private, non-routable IP addresses to be passed through a public network (the Internet), that otherwise wouldn't accept them. With tunneling the original source and destination addresses maybe hidden from users on the public network. The IPSec protocol is operated between two entities in an IP-based network. In order for the entities to securely exchange data, they must [0027]
  • 1. Agree on the type of protection to be used. The protection can be data origin authentication, data integrity or data confidentiality, or some combination. [0028]
  • 2. For the chosen type of protection, agree on the algorithm(s) each entity will use as well as other parameters. The two entities authenticate one another and establish an ISAKMP Security Association and encryption/decryption key for exchange of shared, secret keys to be used for data exchange. The ISAMKP SA is used for securely passing messages that control the IPSec protocol. [0029]
  • 3. For the chosen type of protection, the two entities agree on keying material which will operate within the algorithms to achieve the agreed upon level of security. The negotiation in this step is encrypted using the ISAKMP SA keys (like an IKE SA). [0030]
  • 4. The entities apply the chosen type of protection in data exchanges and periodically change the keying material. [0031]
  • [0032] Steps 1 through 3 result in a IPSec Security Association (SA), distinct from the ISAKMP SA, between the two entities. These steps are roughly equivalent to the Internet Key Exchange protocol (IKE—Quick Mode, see RFC 2409). IPSec Security Associations are unidirectional. Thus if entity X and entity Y have completed an IKE, then entity X has a security association with entity Y and entity Y has a security association with entity X. These two associations are distinct and each carries a 32-bit number called the Security Parameter Index (SPI) that uniquely identifies the IPSec SA. The SPI is carried with each data packet exchanged between the two entities and allows the receiver to identify the set of previously agreed algorithms and keys.
  • For example, entity X would place entity Y's SPI in packets destined for entity Y, and vice versa. The recipient typically uses the SPI as an index into a security association database for retrieval of all information related to the SA. [0033]
  • Either according to a time limit, data exchange limit or exhaustion of a sequence number counter, the SA is refreshed with a new set of keying material. If either side wishes to remove an existing SA, they may send a delete notification for the specific SA. In the case when a failure causes an SA to become unreachable, it is particularly advantageous to inform the peer of this failure through a delete notification. This prevents the peer from sending data packets which would need to be discarded because of the lack of an ingress SA. This conserves processing resources at each peer. [0034]
  • A problem with Mobile IP (MIP) and IPsec in seamless roaming is that configuration data such as IPsec authorization key and the Mobile IP session key and policy attributes need to be in place a priori. Mobile IP presupposes a secret key, namely the authentication key (also known as a session key) shared between the MN and the PGN, as well as other configuration data. Likewise, IPsec presupposes a method by which the MN can be authenticated (shared key, X.509 certificate, etc.). Provisioning and managing this data in a non-automated fashion presents a very large administrative burden on an operator wishing to deploy this technology. While X.509 public key certificates provide one avenue for portable authentication credentials, their use would require provisioning each MN with a signed certificate as well as a reliable, worldwide public key infrastructure. Such an infrastructure is not presently in existence. [0035]
  • The invention also solves the problem of automating the configuration of the MN to make use of the seamless roaming technology. A shared secret MIP session key (required to be 128 bits) must be used to authenticate all Mobile IP messages, including registration messages. The Mobile IP Specification assumes such a shared key exists but offers no guidance on its distribution. Typically, the shared key is ‘pre-programmed’ manually. This entails programming the key for each MN to be used or provisioning each MN with a public key certificate. This does not scale to large numbers of MNs very well. [0036]
  • In order for MIP client registration to occur as well as IPsec ESP tunneling, a MIP session key and IPsec keying material along with configuration data are required. These keys must be exchanged securely and in a manner that imposes little overhead on the mobile client or the operator provisioning such a service. [0037]
  • Since IPsec key exchange and Mobile IP registration require a priori authentication, the invention uses the network-based authentication mechanism inherent in the GPRS/UMTS network as a trusted means for authenticating a MN. When the MN wishes to establish a session to the PGN for the purposes of transiting data across the Internet, it must first be authenticated by the GPRS network. This authentication occurs prior to any control or data traffic arriving at the PGN. When control or data traffic arrives at the PGN, the PGN is assured that the MN is permitted to use its services. Recall that the IPsec authentication key and the Mobile IP session key are required to be shared secrets between the MN. To effect automatic configuration these would need to be sent unencrypted from the PGN. Sending such values in an unencrypted manner exposes the system to innumerable security vulnerabilities. Since a shared secret between the MN and PGN does not exist, IPsec cannot be used as there is no means of authentication. At present there is no standard mechanism for exchanging shared secrets extant with the GPRS/UMTS or the MIP standards. [0038]
  • Because the MN has been authenticated by the GPRS/UMTS network, the invention provides a means for receiving a MN's public key (generated by the MN), and sending the PGN's public key to the MN. This public key exchange occurs only once. The public keys form the basis by which the PGN and MN can mutually authenticate one another (e.g. a challenge-response protocol) and set up an encrypted session through which shared secrets and other configuration data can be sent or updated. [0039]
  • The particular protocol this invention uses for public key exchange and encrypting channels is the Secure Shell (SSH) protocol now being standardized by the Internet Engineering Task Force (IETF). The protocol is described collectively in the IETF draft Request for Comment documents: draft-ietf-secsh-architecture-12.txt draft-ietf-secsh-connect-15.txt, draft-ietf-secsh-transport-14.txt, draft-ietf-secsh-userauth-15.txt. SSH is a protocol that provides mutual authentication using (among other methods) public keys, transport layer security and various functions including securing file transfers, copying, moving or deleting files securely. The system, as embodied in both commercial implementations and open source implementations, provides the encryption algorithms:3DES,Twofish,Blowfish,Arcfour,CAST128, AES and the secure hash algorithms:MD5 and SHA1 as well as public key operations:Diffie-Hellman and DSA,PGP key support. The system provides multiple channel support with public key authentication support and client and server authentication, X11 connection forwarding, TCP/IP port forwarding, TCP wrapper support, automatic public key upload to server as well as other features. [0040]
  • The invention uses the Secure Shell Protocol to effect automatic configuration for both Mobile IP and IPsec following the basic steps: [0041]
  • A one time SSH configuration is provided where the MN and the PGN exchange public keys over a network such as the GPRS network. Using the GPRS network advantageously authenticates the MN for using its services. [0042]
  • The MN then establishes an authenticated, encrypted session with the PGN, authenticated through the exchanged public keys, and effects a transfer of user specific configuration data. Configuration includes, but is not limited to, the IPsec authentication key and the Mobile IP session key. [0043]
  • MIP sessions across non-GPRS networks (e.g., IEEE 802.11, etc.) are tunneled using IPsec ESP. An Internet Key Exchange (IKE) is used to create and update the IPsec Security Association (SA) when it expires. This is part of the IPsec standard. The previously configured IPsec authentication key is used with IKE to strongly authenticate the MN. [0044]
  • If the MN requires a new Mobile IP session key a mechanism is provided for refreshing this data. The mechanism makes use of standard Mobile IP messaging. Although the MIP standards do not impose a lifetime on the MIP session key, the invention allows changing of the MIP session key according to a configured lifetime (typically time duration or volume of traffic expressed in bytes exchanged). This affords greater security for Mobile IP. [0045]
  • The various features of novelty which characterize the invention are pointed out with particularity in the claims annexed to and forming a part of this disclosure. For a better understanding of the invention, its operating advantages and specific objects attained by its uses, reference is made to the accompanying drawings and descriptive matter in which a preferred embodiment of the invention is illustrated. [0046]
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • In the drawings: [0047]
  • FIG. 1 is a schematic diagram showing the network infrastructure system according to the invention; [0048]
  • FIG. 2 is a schematic diagram showing a first phase of the process according to the invention; [0049]
  • FIG. 3 is a schematic diagram showing a second phase of the process according to the invention; [0050]
  • FIG. 4 is a schematic diagram showing a third phase of the process according to the invention; [0051]
  • FIG. 5 is a schematic diagram showing a fourth phase of the process according to the invention; [0052]
  • FIG. 6 is a schematic diagram showing a fifth phase of the process according to the invention; [0053]
  • FIG. 7 is a schematic diagram showing a sixth phase of the process according to the invention; [0054]
  • FIG. 8A is a first part of a diagram showing an example of the process according to the invention; [0055]
  • FIG. 8B is a second part of a diagram showing of FIG. 8A; [0056]
  • FIG. 9A is a User Datagram Protocol (UDP) datagram showing payload attributes of a datagram; and [0057]
  • FIG. 9B is a User Datagram Protocol (UDP) datagram showing payload attributes of a datagram.[0058]
    • DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Referring to the drawings in particular, the invention operates within a network infrastructure shown in FIG. 1. A mobile node (MN) [0059] 1 is provided in the form of a laptop computer, a PDA or other mobile device. The MN 1 includes a radio frequency transceiver. This can be used with a WLAN 3. The WLAN 3 includes normal LAN components such as a server connected to nodes via wires such as twisted pair wires and operating using Ethernet (carrier sense multiple access/collision detection CSMA/CD or IEEE 802.3). With a WLAN at least some of the nodes are formed of an MN 1 with an access point (AP) 5. The AP 5 includes a radio transceiver connected by wires (such as twisted pair wires) to a hub, switch or router of the LAN and connected from this hub to the server. The wireless connection between AP 5 and MN 1 uses the IEEE 802.11 standard (other public standards or proprietary wireless node or hot spot systems and standards may be used instead).
  • The [0060] MN 1 may also be used with a radio access network (RAN) generally designated 10. The RAN 10 includes a radio core 4 which includes the physical lines (or network) running from a serving GPRS support node (SGSN) 2 to the gateway GPRS support node, provided here as a packet gateway node (PGN) 7. The PGN 7 handles data traffic to and from mobile subscribers via RAN 10. Data traffic arriving from, or destined to users on the RAN 10 must use one or more data communications protocols specific to mobile users and the RAN technology. Traffic arriving from, or destined for the IP Router Network (e.g. the Internet) 6 can use a variety of IP-based protocols, sometimes in combination. The architecture of the PGN is able to provide protocol services to the RAN 10 and to the IP Network 6, scale to large numbers of users without significant degradation in performance and provide a highly reliable system. The PGN 7 also provides for management of mobile subscribers (e.g., usage restrictions, policy enforcement) as well as tracking usage for purposes of billing and/or accounting. The PGN 7 may be provided in various forms and preferably is provided as disclosed in application Ser. No. 09/811,204 and 09/816,883 (the content of application Ser. No. 09/811,204 and 09/816,883 are hereby incorporated by reference). The PGN 7 can function as both a Mobile IP home agent (HA) as well as a GGSN.
  • The [0061] SGSN 2 is connected to one or more cellular towers (radio frequency towers) via a Mobile Switching Center for radio communications for a particular cellular area. The radio core 4 provides the physical connection to the PGN 7. This allows users of the radio core 4 to access content from the Internet 6, such as through a host 8.
  • The invention uses the infrastructure shown in FIG. 1 to provide a secure communications system and method including secure communications through the [0062] WLAN 3. Further, the invention allows for roaming capabilities such that the MN 1 is provided with secure access possibilities both through the WLAN 3 and through the RAN 4.
  • Ultimately, the [0063] MN 1 wishes to access content at some target host 8 residing on, or accessible through the Internet 6 using the wireless technology of the WLAN 3. There are two networks through which the MN 1 can pass in order to reach the target host 8. The MN 1 may access the WLAN 3 using 802.11 technology (or some other wireless node technology) and through the AP 5, traverse the Internet 6 to reach the target host 8. However, as noted earlier, this connection is not secure. Alternatively, the MN 1 may access the target host 8 by establishing a connection across an airlink to the SGSN 2 through the RAN 4 to the PGN 7. Once this link is established, the MN 1 can reach the Target Host through the Internet 6. Collectively, the airlink, SGSN 2, Radio Core or RAN 4 and PGN 7 constitute elements of a GPRS/UMTS network 12. Data flowing across the airlink is secured with encryption. The link from the SGSN 2 through the Radio Core 4 into the PGN 7 traverses a private network and this provides some measure of security.
  • The [0064] MN 1 desires the ability to roam between the GPRS/UMTS network 12 to access the target host 8 and the WLAN 3 to access the target host 8 in a secure manner. To manage this mobility, this invention makes use of Mobile IP for managing mobility and IPsec for managing security. A complete description of Mobile IP can be found in “Mobile IP”, James D. Solomon, Prentice Hall, 1998. The full specification for IPsec can be found in “The Big Book of IPsec RFCs”.
  • For an [0065] MN 1 to use Mobile IP and securely roam onto an 802.11 WLAN 3, it must establish a shared secret key to be used for both securing the data session and satisfying the authentication requirements of Mobile IP. However, one of the difficulties in implementing Mobile IP is that it was necessary to manually pre-program the 128-bit Mobile IP session key. In addition, to provide confidentiality of the data content, an additional layer of protection, such as IPsec, is required. For implementing this with many users, the time to pre-program can be extensive.
  • The invention allows users to roam from GPRS to WLAN using the [0066] PGN 7 as the home agent with the connection via WLAN 3 providing the care of address. As shown in FIG. 2, the MN 1 is provided with the address of the PGN 7 and requests configuration data (including an IPsec authentication key and a Mobile IP session key) from the PGN 7 using Secure Shell. The PGN 7 and the MN 1 exchange keying and configuration data secured using exchanged keys. Keys may be exchanged using either authenticated key exchange protocols or unauthenticated key exchange protocols. Since the MN 1 is authenticated via the mechanisms of GPRS, an unauthenticated key exchange suffices. Examples of such key exchange protocols are Diffie-Hellman, the MVQ protocol or its one-pass variant (without certificates), or the Key Exchange Algorithm can be used to establish the shared key (cf., Wilson and Menezes, “Authenticated Diffie-Hellman Key Agreement Protocols”, Proc. Selected Areas in Cryptography, Lecture Notes in Computer Science, 1556, (1999), 339-361.)
  • The preferred embodiment makes use ofthe Secure Shell Protocol as implemented, for instance, in the Secure Shell, Inc. commercial product as follows: [0067]
  • A minimal configuration file for the Secure Shell protocol is provided at the [0068] MN 1. This configuration file is used by the command line ssh applications, scripts or executable programs. In a Windows Operating System environment this file must be named ssh2_config and must reside in the directory C:\Documents and Settings\<username>\Application Data\SSH. An example of a minimal SSH configuration file is as follows:
    ##SSH CONFIGURATION FILE FORMAT VERSION 1.1
    ##REGEX-SYNTAX egrep
    ##end of metaconfig
    ##(leave above lines intact!)
    ##ssh2_config
    ##SSH 3.0 Client Configuration File
    ##
    ##The “.*” is used for all hosts, but you can use other hosts as
    ##well.
    .*:
    ##General
    VerboseMode no
    ForcePTTYAllocation no
    PasswordPrompt “%U's password:”
    ##Network
    Port 22
    KeepAlive yes
    ##Crypto
    Ciphers blowfish
    MACs AnyMAC
    ##User public key authentication
    IdentityFile identification
    AuthorizationFile authfile
    ##Authentication
    AllowedAuthentications publickey
  • A client application handling the overall configuration of Mobile IP, IPsec and SSH at the [0069] MN 1 insures that the configuration file is consistent with the configuration shown above.
  • The system of the invention can then provide for a public key exchange. To do this the [0070] MN 1 generates a public/private key pair (RSA/DSA) and stores it locally in the prescribed SSH protocol format. When the MN is not configured for seamless roaming, and having generated a public/private key pair, the MN establishes a GTP (GPRS Tunneling Protocol (3GPP)) session (across the GRPS network) at a configured Access Point Name (APN) (this resolves to an IP address) used exclusively for public key exchange. Alternatively, the MN may use other standard protocols such as the Service Location Protocol (see RFC 2165) to discover the address needed for obtaining configuration data.
  • Assuming the he client application has the network address needed for obtaining configuration data, it constructs and sends a User Datagram Protocol (UDP) datagram with a source address equal to the PGN-ID (equivalent to a router-ID) for a configured UDP port. An example payload of the datagram is shown in FIG. 9A where: [0071]
    Type 1 indicating a configuration request from the client;
    Timestamp 32-bit value of milliseconds since midnight UT.;
    Fname Len Length (in bytes) of filename of the public key file;
    Fname The name of the public key file (in ASCII);
    Key File The length (in bytes) of the public key file;
    Len
    Contents The content of the public key file.
  • In response, the MN receives the a UDP datagram at a configured UDP port as shown in FIG. 9B where: [0072]
    Type 2 indicating a configuration response from the PGN;
    Timestamp 32-bit value of milliseconds since midnight UT.
    Fname Len Length (in bytes) of filename of the PGNs public key file;
    Fname The name of the PGNs public key file (in ASCII);
    Key Fil Len The length (in bytes) of the public key file;
    Contents The content of the public key file.
  • The client application at [0073] MN 1 insures that the timestamp is strictly increasing and within a predefined tolerance; otherwise the client silently drops the datagram. Otherwise, the MN 1 application inspects the name of the public key file and verifies that it conforms to the following format:
  • key_<port>_<IP Address>.pub
  • In this format <port> will indicate the TCP port used for all subsequent SSH transactions. The value <IP Address> is the dotted decimal IP address to be used for subsequent SSH transactions. An example of a public key file named key_[0074] 22_192.168.20.229.pub is shown below.
  • BEGIN SSH[0075] 2 PUBLIC KEY ----
  • Subject: cskiscim [0076]
  • Comment: “host key for [0077] 192.168.20.229,
  • accepted by cskiscim Tue May [0078] 14\
  • [0079] 2002 19:36:36
  • AAAAB[0080] 3NzaC1kc3MAAACBAKPruNBf5YFX7kVBIAbnsAA5TnVrYSvQBZJ7/upKtnbP2US1aE rxxhrZamxhcOGoonfXDmVtV0hDT80ouLaNkWn35aJt4FkprKcxWfDBzcRdVnASt8E54Ity Qpd01ZdYNPXEb7FKDZQkITrJFTzMibkM99fY3ZjAxo6G5QPGpGLzAAAAFQDRseSNAr8r/D zsB7DCDtHN874T9QAAAIARCYRTqmMEg8i1Th6hcf6yAq3RQg/yG1f3LPqQTM0Zz385ErEB NNnbv8/8dF8CiZGnSB0J+udeADf7uEr+R+JhgOvEoZE/WmpDSpngCVeOEccbNItY57soIe 0Vjo/F/bOZre235v7EyUAaW0Am241LzbE4Et7w91+w+qKrUJ1dNgAAAIAsE6A9SIihYCO7 VGX5T/IDiJLgFg/qDwj/+ARJx48+eSg5fQWmo/RW0+kaNZT6tjv1QuEeX/Cj+YMgIHOP2+Ttx88CR2gL3PD5IrUq2ssudD1/z7gvX5TJR187T+feIzhGiW8EGWtbexvyUtPZfgETSUWf twp4JX01WRLGGZqBoQ==
  • ---- END SSH[0081] 2 PUBLIC KEY ----
  • The file name communicates the fact that SSH transactions are sent to the IP address [0082] 192.168.20.229 at port 22.
  • The client application at the [0083] MN 1 will store this IP address and TCP port for subsequent SSH transactions. The client application modifies its SSH configuration file to reflect the port value communicated as part of the public key file name.
  • The contents of the key file is stored in a file with the Fname as the file name. In the Windows Operating System, this will be in the directory [0084]
  • C:\Documents and Settings\<username\>Application Data\SSH\HostKeys [0085]
  • After these steps, the [0086] MN 1 is in possession of the PGN's public key and the PGN 7 is in possession of the MN's public key. The MN and PGN 7 can now mutually authenticate each other using the SSH protocol or for example, a challenge-response protocol. This forms the basis by which the MN 1 can establish an encrypted session with the PGN and securely receive the requisite configuration data as follows:
  • The [0087] MN 1 retrieves its configuration file from the PGN 7 by issuing the following secure copy command via a script file or incorporated within a program:
  • scp[0088] 2q-P<port>-cblowfishum@<ip-address>:/um/<username>.cnf/umdir/<username>.cnf
  • This command, embedded in a script or called from a program, establishes an encrypted session between the PGN [0089] 7and the MN 1 (authenticated with the exchanged public keys) and securely copies the file <username>.cnf from the PGN to the directory (/umdir/) with the same file name using the Blowfish cipher. Other ciphers are available.
  • The content of the configuration file is, minimally: [0090]
    Configuration Version 16 bits
    Mobile IP Version 8 bits
    Mobile IP Home Address Dotted decimal representation
    Mobile IP SPI 32 bits
    MIP Session Key 128 bits
    MIP Key Lifetime (seconds) 32 bits
    MIP Key Authentication Method see
    Network Access Identifier Length 8 bits
    Network Access Identifier variable (see RFC2486)
    IPsec authorization key 1024 bits
    IPsec Gateway Address Dotted decimal representation
  • Each attribute—value pair occupies a single section of the file. A single blank line separates sections of the file. The file is Base64 encoded. Other formats, such as XML are possible. [0091]
  • The [0092] MN 1 decodes each value and verifies the lengths of each entry in the configuration file to insure compliance with the above specifications.
  • The MN then extracts the required configuration values for Mobile IP and IPsec use. [0093]
  • With this data in place and having roamed onto the [0094] WLAN 3, as shown in FIG. 3, the MN 1 connects through the WLAN 3 and requests a local care-of address (COA) from a DHCP server on the Internet. This COA is used for the Mobile IP protocol. The DHCP server then sends a COA across the Internet and across the WLAN 3.
  • As shown in FIG. 4, the [0095] MN 1 sends a Mobile IP registration request, authenticated with the configured Mobile IP session key, to the HA which is hosted in PGN 7. The HA validates and authenticates the message then sends a registration reply authenticated with the same configured session key. According to the preferred embodiment IKE is used to set up an IPsec tunnel established between the PGN 7 and the MN1 using the COA to securely transit traffic across the WLAN 3. The secure transmissions has authentication, encryption and message integrity, indicated by a Message Integrity Code (MIC).
  • FIG. 5 shows the state of the process and system according to the invention wherein the [0096] MN 1 sends packets to the target host 8 via the HA hosted by PGN 7, and also by the Internet 6 and the WLAN 3 with a access point. The entire data exchange across the WLAN is secured by IPsec. Similarly, target host 8 sends packets to MN 1 via the HA hosted on PGN 7, via the Internet and via WLAN 3.
  • FIG. 6 shows the subsequent state wherein the [0097] MN 1 can roam from the WLAN 3 to the GPRS. The MN 1 sends a Mobile IP registration request to the HA authenticated using the configured Mobile IP session key. According to the method of the invention the COA is used while connected to the WLAN 3. Subsequently, the MN 1 leaves the WLAN3 and indicates via a registration request that MN 1 is back home on the GPRS/UMTS network. The HA then sends a Mobile IP registration reply back to the MN 1 confirming its arrival to the home network.
  • FIG. 7 shows further data transfer using the GPRS. Packets from the [0098] MN 1 to the target host 8 go via the GPRS only. Packets from the target host 8 now go to the MN 1 via the GPRS only. However, the MN1 can roam including again connecting to the WLAN 3.
  • FIGS. 8A and 8B show a preferred method according to the invention. This preferred method is as follows: [0099]
  • As indicated at [0100] 80, The MN 1 performs a public key exchange across the GPRS/UMTS network with the PGN 7 to establish the authentication values used by the Secure Shell protocol. In Step 82, the MN 1 uses the secure copy facility of Secure Shell to obtain IPsec and Mobile IP configuration data. The secure copy is authenticated using the public keys exchanged in Step 80. At this point, the MN 1 and PGN 7 are in possession of a shared secret session key used by Mobile IP as well as a shared secret IPsec authentication key used for IKE authentication.
  • The [0101] MN 1 establishes a connection on Wireless LAN 3 at step 83 and requests a Mobile IP Care-Of-Address (COA) from a Dynamic Host Configuration Protocol (DHCP) server on the Internet or a local server. The DHCP is based on device addresses and is used to allocate IP addresses and other configuration information automatically for networked systems.
  • At [0102] step 84 the MN 3 receives the COA across the Wireless LAN 3. At step 88 the MN 1 sends a Mobile IP registration request to the Home Agent (HA) hosted in the PGN 7 informing it that it is on a visited (foreign) network. The PGN 7 receives the Mobile IP registration request at step 90 and authenticates the message using the 128-bit key established in step 82 and sends a Mobile IP registration reply to the MN 1. The MN 1 then negotiates an IPsec ESP at step 91 using the IPsec authentication key established in step 82. The MN 1 then sends packets to the target host 8 using the ESP encapsulated within the Mobile IP protocol to the PGN 7. The PGN 7 de-encapsulates the Mobile IP protocol and the ESP, and forwards the packets to the target host 8.
  • The [0103] target host 8 replies with packets to the PGN 7 at step 92. The PGN 7 then forwards these packets using the ESP encapsulated within the Mobile IP protocol to the MN 1.
  • At the conclusion of the data session, the [0104] MN 1 terminates the connection with the PGN 7 and detatches from the WLAN at step 94.
  • At [0105] step 96, when the MN 1 roams back into the GPRS/UMTS network, the MN 1 sends a Mobile IP registration request to the Home Agent hosted in the PGN 7 indicating that it is back on the home network.
  • At [0106] step 97, the PGN 7 sends a Mobile IP registration reply to the MN 1 using the 128-bit session key obtained in Step 82 within the reply message.
  • The system and method of the invention provides several advantages for wireless secure communications, including the ability to securely roam between, for example, a WLAN and a GPRS/UMTS connection with no manual pre-programming of a Mobile IP authentication key or an IPsec authentication key. The system and method provide a solution to the security problem inherent in wireless LANs or other networks deemed insecure using purely standards based mechanisms. The system and method are particularly advantageous using the described [0107] PGN 7 based on its function as both a Mobile IP home agent as well as a GGSN.
  • The system and method of the invention provide conveniences, particularly as to obtaining the 128-bit Mobile IP session key and the IPsec authentication key without the burdensome step of manual pre-programming. In the solution of the invention, user authentication is handled by the GPRS/UMTS network before the PGN ever sees the traffic. Therefore, the system allows one to perform a public key exchange using any method to establish a large key and use this to authenticate a secure session for configuring an IPsec shared secret authentication key and a Mobile IP session key as well as other configuration data. Manual provisioning of the authentication values is therefore not required. The entire process can be automated with a script or a program. The configuration need not remain static. As desired, the [0108] MN 1 can refresh its configuration data securely using the exchanged public keys.
  • For example, the following describes how a new Mobile IP session key can be obtained within the present framework. [0109]
  • Prior to the expiration of the Mobile IP session key, the [0110] MN 1 signals its desire to refresh its Mobile IP session key by sending a Mobile IP Registration Request with a Vendor Specific Extension (see RFC 3115). The vendor type in this extension indicates that a Mobile IP session key refresh is desired; the vendor value field is empty.
  • When the [0111] PGN 7 receives, validates and authenticates this message, it generates a new Mobile IP session key and encrypts it with the MN's public key. The PGN 7 replies to the MN 1 with a Mobile IP Registration Reply with the vendor type indicating a new Mobile IP session key and the vendor value equal to the new encrypted Mobile IP session key. Note that this registration reply carries an authentication value based on the previous Mobile IP session key.
  • The [0112] MN 1 receives this registration reply, validates and authenticates this message. The MN 1 extracts the encrypted value and decrypts it with its private key. Both the MN 1 and PGN 7 use this value to authenticate subsequent Mobile IP messages. This gives the solution according to the system and method of the invention stronger security.
  • While specific embodiments of the invention have been shown and described in detail to illustrate the application of the principles of the invention, it will be understood that the invention may be embodied otherwise without departing from such principles. [0113]

Claims (26)

What is claimed is:
1. A wireless data network process, comprising the steps of:
providing a network with prior authentication of a connected mobile node (MN) and with a network connection to a packet gateway node (PGN);
establishing and using an authentication mechanism between the MN and the PGN using the network connection;
establishing an encrypted channel between the MN and the PGN based on authentication established with the authentication mechanism;
providing configuration data from the PGN to the MN using the encrypted channel;
using the configuration data for communication to and from the MN via the PGN via the network connection or via another network connected to the PGN.
2. A process according to claim 1, wherein the network connection is via a serving General Packet Radio Service (GPRS) support node with a radio network connection to the PGN as a GPRS support packet gateway node.
3. A process according to claim 1, wherein the authentication mechanism includes:
at the MN generating a public/private key pair and storing the pair with names;
sending from the MN a message containing the MN's public key and key name to the PGN via the network connection;
responding from the PGN with a message containing the PGN's public key and public key name;
receiving the PGN's public key at the MN and storing this PGN public key at the MN; and
using the exchanged public keys for mutual authentication of the MN with the PGN.
4. A process according to claim 1, wherein said step of providing configuration data from the PGN to the MN using the encrypted channel includes providing Mobile Internet Protocol (MIP) configuration data and the IP Security protocol (IPsec) configuration data.
5. A process according to claim 4, further comprising:
using the Internet Key Exchange (IKE) protocol with the MN requesting Encapsulated Security Protocol for establishing a security association (SA) with the PGN;
connecting the MN to a non-GPRS wireless local network;
establishing a MIP sessions across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
6. A wireless data network process according to claim 4, wherein said step of using the configuration data for communication to and from the MN via the PGN via the network connection or via another network connected to the PGN includes:
providing the network connection as a radio network connection to a serving General Packet Radio Service (SGSN) support node with a network connection to the PGN as a gateway GPRS support node (GGSN).
connecting the MN, and the MN to authenticate the PGN to a non-GPRS wireless local network;
establishing Mobile IP sessions across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
7. A wireless data network process according to claim 6, further comprising the step of obtaining a new Mobile IP session key, including:
prior to the expiration of the Mobile IP session key, sending a Mobile IP registration request with a Vendor Specific Extension indicating that a new Mobile IP session key is desired;
receiving, validating and authenticating this message at the PGN and generating a new Mobile IP session key and encrypting it with the MN's public key; and
extracting the encrypted value and decrypting the encrypted value with the private key of the MN.
8. A wireless data network process according to claim 7, wherein the step of obtaining a new Mobile IP session key includes:
providing the registration reply with an authentication value based on the previous Mobile IP session key.
9. A process according to claim 1, further comprising:
establishing a connection of the MN on a Wireless Local Area Network (WLAN);
requesting a Mobile IP Care-Of-Address (COA) from a dynamic Host configuration protocol server;
receiving the COA at the MN from across the Wireless LAN and sending data packets from the MN to a target host via the wireless LAN connection and receiving data packets from the target host via the wireless LAN connection.
10. A process according to claim 9, further comprising:
terminating the connection with the PGN and detatching from the WLAN after the conclusion of a data session of the MN.
11. A process according to claim 9, further comprising:
roaming with the MN into a region of the radio network and sending a message from the MN as a Mobile IP registration request to the Home Agent hosted in the PGN indicating that the MN is on the home network and using an authentication value within the message;
sending a Mobile IP registration reply from the PGN to the MN using the authentication value.
12. A wireless data network process, comprising the steps of:
providing a serving GPRS support node with a radio network connection to a Gateway GPRS support packet gateway node (PGN);
providing a mobile node client (MN);
at the client generating a public/private key pair and storing the pair with names;
sending from the client a message containing its public key and key name to the PGN via the radio network connection;
responding from the PGN with a message containing the PGN's public key and public key name;
receiving the PGN's public key at the client and storing this PGN public key at the client;
establishing an encrypted channel between the MN and the PGN based on authentication established using one or more of the exchanged public keys;
performing at the client a secure copy from the PGN to copy a configuration file from a designated directory on the PGN to a designated directory on the client;
using a configuration application at the client to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from the configuration file.
13. A process according to claim 12, further comprising using the Internet Key Exchange (IKE) protocol with the MN requesting Encapsulated Security Protocol for establishing the security association (SA).
14. A wireless data network process according to claim 12, further comprising the step of:
connecting the MN to a non-GPRS wireless local network;
establishing a MIP sessions across the non-GPRS network as a tunneled session using a IPsec encapsulating security payload (ESP).
15. A wireless data network process according to claim 14, further comprising the steps of: whenever configuration material (keys or other data) is required by initiates an SSH session by the MN to the PGN with the PGN replying with fresh keying material to the MN using a secured copy between the MN and PGN and with an Internet Key Exchange (IKE) required whenever the IPsec Security Association (SA) expires.
16. A process according to claim 12, further comprising:
establishing a connection of the MN on a Wireless LAN;
requesting a Mobile IP Care-Of-Address (COA) from Dynamic Host Configuration Protocol (DHCP) server on the Internet;
receiving the COA at the MN from across the Wireless LAN and sending data packets from the MN to a target host via the wireless LAN connection and receiving data packets from the target host via the wireless LAN connection.
17. A process according to claim 16, further comprising:
terminating the connection with the PGN and detatching from the WLAN after the conclusion of a data session of the MN.
18. A process according to claim 16, further comprising:
roaming with the MN into a region of the radio network and sending a message from the MN a Mobile IP registration request to the Home Agent hosted in the PGN indicating that the MN is on the home network authenticated using the value obtained;
sending a Mobile IP registration reply from the PGN to the MN using the authentication value obtained.
19. A wireless network system, comprising:
a mobile node with a wireless transceiver;
a serving General Packet Radio Service (GPRS) support node;
a radio access network;
a GPRS gateway including a packet gateway node (PGN) with an internet connection, the PGN being capable of acting as a Mobile IP home agent (HA);
a wireless local area network (WLAN) with a wireless access node and an internet connection;
at least one or both of a connection from the MN to the PGN and a connection between the MN and the WLAN;
a PGN public key;
a MN generated public/private key pair stored with names at the MN, the MN public key being sent from the client to the PGN via the radio network connection and the PGN's public key and public key name being sent in reply to the MN via the radio network;
a configuration file at the MN and sent by the PGN using a secure copy format based on the exchanged public keys;
a configuration application at the client to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from the configuration file; and
an IPSec Security Association between the MN and the PGN with a security parameters index obtained from the SA for identifying the MN, the IPSec Security association being established between the PGN and the MN using the IP Security protocol (IPsec) configuration data.
20. A wireless network system, comprising:
a mobile node with a wireless transceiver;
a serving GPRS support node (SGPRS);
a radio access network;
a gateway GPRS including a packet gateway node (PGN) with an internet connection, the PGN being capable of acting as a Mobile IP home agent (HA) with authentication of a MN handled by the GPRS/UMTS to establish a Mobile IP connection including
a PGN public and private key;
a MN generated public/private key pair stored with names at the MN, the MN public key being sent from the client to the PGN via the radio network connection and the PGN's public key and public key name being sent in reply to the MN via the radio network;
a configuration file at the MN and sent by the PGN using a secure copy format based on the exchanged public keys;
a configuration application at the client to extract Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data from configuration file.
21. A system according to claim 20, wherein in addition, an initial key exchanged based on Mobile Internet Protocol (MIP) configuration and IP Security protocol (IPsec) configuration data forms the basis for subsequent key exchanges using a standard's based protocol.
22. A system according to claim 20, wherein the standard's based protocol is IPsec.
23. A system according to claim 22, wherein subsequent traffic between the MN and the PGN is encrypted with the IKE aggressive mode key exchange using the shared key to establish a large encryption key and a SA.
24. A system according to claim 20, further comprising:
a wireless local area network (WLAN) with a wireless access node and an internet connection;
a connection between the MN and the WLAN;
a Mobile IP care-of-address obtained from a DHCP server through the connection between the MN and the WLAN.
25. A wireless data network process, comprising the steps of:
providing a serving GPRS support node with a radio network connection to a packet gateway node (PGN);
providing a mobile node client (MN);
performing a public key exchange across the GPRS/UMTS network between a mobile node and the PGN 7 to establish authentication;
using a secure copy facility based on the authentication to obtain IPsec and Mobile IP configuration data at the MN from the PGN to provide the MN and the PGN with a shared secret session key used by Mobile IP as well as a shared secret IPsec authentication key used for IKE authentication;
using the MN to establish a connection on wireless Local Area Network (LAN) and requesting a Mobile IP Care-Of-Address (COA) from a Dynamic Host Configuration Protocol (DHCP) server on the Internet;
receiving the COA across the wireless LAN 3;
sending a Mobile IP registration request to the PGN as a Home Agent (HA) hosted in the PGN;
receiving the Mobile IP registration request at the PGN and authenticating the request using a 128-bit key established from the IPsec and Mobile IP configuration data;
negotiating an IPsec Encapsulated Security Protocol (ESP) using the IPsec authentication key established from the IPsec and Mobile IP configuration data;
using the MN and the wireless LAN to send packets to a target host using the ESP to the PGN with the PGN forwarding the packets to the target host;
replying with the target host sending packets to the PGN with the PGN forwarding packets using the ESP to the MN;
at the conclusion of the data session with the wireless LAN, terminating the connection of the MN with the PGN and detaching the MN from the wireless LAN.
26. A process according to claim 25, further comprising:
roaming with the MN back into the GPRS/UMTS network and sending from the MN a Mobile IP registration request to the Home Agent hosted in the PGN indicating that the MN is back on the home network with the PGN 7 sending a Mobile IP registration reply to the MN using the 128-bit authentication value obtained from the IPsec and Mobile IP configuration data.
US10/224,226 2001-08-10 2002-08-05 System and method for secure network roaming Expired - Lifetime US7389412B2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US10/224,226 US7389412B2 (en) 2001-08-10 2002-08-05 System and method for secure network roaming
AU2002326642A AU2002326642A1 (en) 2001-08-10 2002-08-12 System and method for secure network roaming
PCT/US2002/025832 WO2003015360A2 (en) 2001-08-10 2002-08-12 System and method for secure network roaming

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/928,290 US20030031151A1 (en) 2001-08-10 2001-08-10 System and method for secure roaming in wireless local area networks
US10/224,226 US7389412B2 (en) 2001-08-10 2002-08-05 System and method for secure network roaming

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09/928,290 Continuation-In-Part US20030031151A1 (en) 2001-08-10 2001-08-10 System and method for secure roaming in wireless local area networks

Publications (2)

Publication Number Publication Date
US20030039234A1 true US20030039234A1 (en) 2003-02-27
US7389412B2 US7389412B2 (en) 2008-06-17

Family

ID=26918527

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/224,226 Expired - Lifetime US7389412B2 (en) 2001-08-10 2002-08-05 System and method for secure network roaming

Country Status (3)

Country Link
US (1) US7389412B2 (en)
AU (1) AU2002326642A1 (en)
WO (1) WO2003015360A2 (en)

Cited By (69)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040003100A1 (en) * 2002-06-27 2004-01-01 Feuerstraeter Mark T. Dynamically adaptable communications processor architecture and associated methods
US20040008689A1 (en) * 2002-06-20 2004-01-15 Cedric Westphal QoS signaling for mobile IP
US20040023641A1 (en) * 2002-03-22 2004-02-05 Takayuki Tsutsumi Telephone system
US20040047308A1 (en) * 2002-08-16 2004-03-11 Alan Kavanagh Secure signature in GPRS tunnelling protocol (GTP)
US20040103282A1 (en) * 2002-11-26 2004-05-27 Robert Meier 802.11 Using a compressed reassociation exchange to facilitate fast handoff
US20040157626A1 (en) * 2003-02-10 2004-08-12 Vincent Park Paging methods and apparatus
US20040157619A1 (en) * 2003-02-10 2004-08-12 Corson M. Scott Methods and apparatus for updating mobile node location information
US20040203602A1 (en) * 2002-09-12 2004-10-14 Broadcom Corporation Enabling and controlling access to wireless hot spots
US20040208187A1 (en) * 2003-04-16 2004-10-21 Jerry Mizell Home agent redirection for mobile IP
EP1494395A1 (en) * 2003-07-01 2005-01-05 Alcatel Method and authentication module for providing access to a target network via a wireless local area network WLAN
US20050076198A1 (en) * 2003-10-02 2005-04-07 Apacheta Corporation Authentication system
DE10346086A1 (en) * 2003-10-04 2005-04-28 Fritz Paul Data communication method between user's mobile data terminal and destination data network, using network element with access to subscriber-specific data sets, and in which useful data are unencrypted
US20050096072A1 (en) * 2003-10-29 2005-05-05 Interdigital Technology Corporation Method and apparatus for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units
US20050114448A1 (en) * 2003-11-03 2005-05-26 Apacheta Corporation System and method for delegation of data processing tasks based on device physical attributes and spatial behavior
US20050144474A1 (en) * 2003-11-26 2005-06-30 F-Secure Oyj Securing a data transmission channel
US20050154909A1 (en) * 2002-04-26 2005-07-14 Junbiao Zhang Certificate based authentication authorization accounting scheme for loose coupling interworking
WO2005076564A1 (en) * 2004-02-06 2005-08-18 Telecom Italia S.P.A. Method and system for the secure and transparent provision of mobile ip services in an aaa environment
WO2005096591A1 (en) * 2004-03-31 2005-10-13 British Telecommunications Public Limited Company Authorisation
EP1587250A1 (en) * 2004-04-14 2005-10-19 AboCom Systems, Inc. VPN accelerator card for secure roaming
US20050232429A1 (en) * 2004-04-14 2005-10-20 Kuntal Chowdhury Securing home agent to mobile node communication with HA-MN key
US20050281194A1 (en) * 2004-06-22 2005-12-22 Sonoda David H Flexible M:N redundancy mechanism for packet inspection engine
US20060007928A1 (en) * 2004-07-08 2006-01-12 Michael Sangillo Flexible traffic rating interworking
US20060008064A1 (en) * 2004-07-08 2006-01-12 Michael Sangillo Flexible traffic rating interworking
US20060007897A1 (en) * 2003-05-15 2006-01-12 Matsushita Electric Industrial Co.,Ltd. Radio lan access authentication system
US20060025177A1 (en) * 2004-07-28 2006-02-02 Mediatek Inc. Mobile communication apparatus having anti-theft and auto-notification functions
WO2006055933A2 (en) * 2004-11-18 2006-05-26 Azaire Networks Inc. Maintaining consistent network connections using a secondary pdp context
US20060120305A1 (en) * 2004-12-06 2006-06-08 Alcatel Remote management method, a related auto configuration server, a related further auto configuration server, a related routing gateway and a related device
WO2006059216A1 (en) * 2004-12-01 2006-06-08 Nokia Corporation Method and system for providing wireless data network interworking
US20060126809A1 (en) * 2004-12-13 2006-06-15 Halpern Joel M HTTP extension header for metering information
US7069000B1 (en) * 2003-02-10 2006-06-27 Flarion Technologies, Inc. Security methods for use in a wireless communications system
US20060161771A1 (en) * 2002-08-14 2006-07-20 Junbiao Zhang Session key management for public wireless lan supporting multiple virtual operators
US20060209800A1 (en) * 2005-02-18 2006-09-21 Samsung Electronics Co.; Ltd Network system for interworking W-LAN and 3G mobile communication network through RoF link and authentication method according to interworking in the network system
US20060221916A1 (en) * 2005-04-01 2006-10-05 Taylor John R Wireless virtual private network
US20060242414A1 (en) * 2003-04-02 2006-10-26 Corson M S Security methods for use in a wireless communications system
US20060276137A1 (en) * 2005-05-10 2006-12-07 Network Equipment Technologies, Inc. LAN-based UMA network controller with local services support
US20060294204A1 (en) * 2005-06-28 2006-12-28 Kotzin Michael D Methods and devices for redirecting subscriber communication
US20070011334A1 (en) * 2003-11-03 2007-01-11 Steven Higgins Methods and apparatuses to provide composite applications
US20070033643A1 (en) * 2005-07-19 2007-02-08 Ssh Communications Security Corp. User authentication in connection with a security protocol
US20070036110A1 (en) * 2005-08-10 2007-02-15 Alcatel Access control of mobile equipment to an IP communication network with dynamic modification of the access policies
US20070067373A1 (en) * 2003-11-03 2007-03-22 Steven Higgins Methods and apparatuses to provide mobile applications
US20070082705A1 (en) * 2005-07-25 2007-04-12 Mediatek Inc. Mobile communication apparatus having anti-theft and auto-notification functions
US20070124592A1 (en) * 2003-06-18 2007-05-31 Johnson Oyama method, system and apparatus to support mobile ip version 6 services
US20070186000A1 (en) * 2003-05-23 2007-08-09 Pekka Nikander Secure traffic redirection in a mobile communication system
US20070201455A1 (en) * 2004-07-15 2007-08-30 Siemens Aktiengesellschaft Head Office And Plurality Of Branches Connected Via A Network
US20070230707A1 (en) * 2006-03-28 2007-10-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for handling keys used for encryption and integrity
JP2007534267A (en) * 2004-04-23 2007-11-22 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Support for DHCP
US20080056286A1 (en) * 2006-08-29 2008-03-06 Nokia Corporation Evaluating a communication interface
US20080080420A1 (en) * 2006-10-02 2008-04-03 Aruba Wireless Networks System and method for adaptive channel scanning within a wireless network
CN100389555C (en) * 2005-02-21 2008-05-21 西安西电捷通无线网络通信有限公司 An Access Authentication Method Suitable for Wired and Wireless Networks
CN100413269C (en) * 2004-10-29 2008-08-20 卡米尔资讯股份有限公司 System and method for mobile terminal to access network host
US20080205649A1 (en) * 2007-01-08 2008-08-28 S&C Electric Co. Power distribution system secure access communication system and method
US20090028118A1 (en) * 2003-02-18 2009-01-29 Airwave Wireless, Inc. Methods, apparatuses and systems facilitating management of airspace in wireless computer network environments
US20090070854A1 (en) * 2006-05-13 2009-03-12 Huawei Technologies Co., Ltd. Method, apparatus and network for negotiating mip capability
US20090168788A1 (en) * 2007-12-31 2009-07-02 Minsh Den Network address translation for tunnel mobility
US20090235354A1 (en) * 2003-02-18 2009-09-17 Aruba Networks, Inc. Method for detecting rogue devices operating in wireless and wired computer network environments
US20100088399A1 (en) * 2008-10-03 2010-04-08 Yoel Gluck Enterprise security setup with prequalified and authenticated peer group enabled for secure DHCP and secure ARP/RARP
US7804826B1 (en) * 2002-11-15 2010-09-28 Nortel Networks Limited Mobile IP over VPN communication protocol
US20100293372A1 (en) * 2006-03-22 2010-11-18 Patrick Fischer Asymmetric cryptography for wireless systems
US20120051321A1 (en) * 2010-08-24 2012-03-01 Clear Wireless Llc Method for seamless ip session continuity for multi-mode mobile stations
US8468354B2 (en) 2002-06-06 2013-06-18 Thomson Licensing Broker-based interworking using hierarchical certificates
US8621649B1 (en) * 2011-03-31 2013-12-31 Emc Corporation Providing a security-sensitive environment
US9143956B2 (en) 2002-09-24 2015-09-22 Hewlett-Packard Development Company, L.P. System and method for monitoring and enforcing policy within a wireless network
EP2988538A1 (en) * 2014-08-12 2016-02-24 Vodafone IP Licensing limited Machine-to-machine cellular communication security for authentication and key agreement using ggsn
GB2531862A (en) * 2014-08-12 2016-05-04 Vodafone Ip Licensing Ltd Machine-to-machine cellular communication security
US9661493B2 (en) 2013-02-22 2017-05-23 Samsung Electronics Co., Ltd. Apparatus and method for providing a wireless communication in a portable terminal
US9992670B2 (en) 2014-08-12 2018-06-05 Vodafone Ip Licensing Limited Machine-to-machine cellular communication security
US10455414B2 (en) * 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
US10992709B2 (en) * 2015-07-28 2021-04-27 Citrix Systems, Inc. Efficient use of IPsec tunnels in multi-path environment
US20210345106A1 (en) * 2019-01-25 2021-11-04 Kabushiki Kaisha Toshiba Communication control device and communication control system

Families Citing this family (152)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7308263B2 (en) 2001-02-26 2007-12-11 Kineto Wireless, Inc. Apparatus for supporting the handover of a telecommunication session between a licensed wireless system and an unlicensed wireless system
US7305700B2 (en) 2002-01-08 2007-12-04 Seven Networks, Inc. Secure transport for mobile communication network
CN1623348B (en) * 2002-01-24 2010-09-29 西门子公司 Method for securing data communications in a mobile network environment
US7505431B2 (en) 2002-03-26 2009-03-17 Interdigital Technology Corporation RLAN wireless telecommunication system with RAN IP gateway and methods
US7394795B2 (en) 2002-03-26 2008-07-01 Interdigital Technology Corporation RLAN wireless telecommunication system with RAN IP gateway and methods
US7406068B2 (en) 2002-03-26 2008-07-29 Interdigital Technology Corporation TDD-RLAN wireless telecommunication system with RAN IP gateway and methods
US8432893B2 (en) 2002-03-26 2013-04-30 Interdigital Technology Corporation RLAN wireless telecommunication system with RAN IP gateway and methods
US7489672B2 (en) 2002-03-26 2009-02-10 Interdigital Technology Corp. RLAN wireless telecommunication system with RAN IP gateway and methods
US7471655B2 (en) * 2003-10-17 2008-12-30 Kineto Wireless, Inc. Channel activation messaging in an unlicensed mobile access telecommunications system
EP2334137A3 (en) * 2002-10-18 2012-07-25 Kineto Wireless, Inc. Method and apparatuses for releasing an ongoing communication session of a telecommunication device
US7349698B2 (en) 2002-10-18 2008-03-25 Kineto Wireless, Inc. Registration messaging in an unlicensed mobile access telecommunications system
US7606190B2 (en) * 2002-10-18 2009-10-20 Kineto Wireless, Inc. Apparatus and messages for interworking between unlicensed access network and GPRS network for data services
US7752329B1 (en) * 2002-10-31 2010-07-06 Aol Inc. Migrating configuration information based on user identity information
CN1191696C (en) * 2002-11-06 2005-03-02 西安西电捷通无线网络通信有限公司 Sefe access of movable terminal in radio local area network and secrete data communication method in radio link
US7870389B1 (en) * 2002-12-24 2011-01-11 Cisco Technology, Inc. Methods and apparatus for authenticating mobility entities using kerberos
US7441043B1 (en) * 2002-12-31 2008-10-21 At&T Corp. System and method to support networking functions for mobile hosts that access multiple networks
US7853563B2 (en) 2005-08-01 2010-12-14 Seven Networks, Inc. Universal data aggregation
US8468126B2 (en) 2005-08-01 2013-06-18 Seven Networks, Inc. Publishing data in an information community
US7917468B2 (en) 2005-08-01 2011-03-29 Seven Networks, Inc. Linking of personal information management data
DE10307403B4 (en) * 2003-02-20 2008-01-24 Siemens Ag Method for forming and distributing cryptographic keys in a mobile radio system and mobile radio system
EP1604490B1 (en) 2003-03-10 2016-02-03 Deutsche Telekom AG Method and arrangement for externally controlling and managing at least one wlan subscriber who is assigned to a local radio network
US8196000B2 (en) 2003-04-02 2012-06-05 Qualcomm Incorporated Methods and apparatus for interleaving in a block-coherent communication system
CA2438357A1 (en) * 2003-08-26 2005-02-26 Ibm Canada Limited - Ibm Canada Limitee System and method for secure remote access
US8296558B1 (en) * 2003-11-26 2012-10-23 Apple Inc. Method and apparatus for securing communication between a mobile node and a network
CN1277393C (en) * 2003-12-12 2006-09-27 华为技术有限公司 Method of selecting gateway of data packets by users in wireless local area network
CN1306762C (en) * 2004-01-18 2007-03-21 中兴通讯股份有限公司 Method of keeping IP address of CDMA2000 incorporated WLAN user on cross-network switchover
US7957348B1 (en) 2004-04-21 2011-06-07 Kineto Wireless, Inc. Method and system for signaling traffic and media types within a communications network switching system
US8151348B1 (en) * 2004-06-30 2012-04-03 Cisco Technology, Inc. Automatic detection of reverse tunnels
US7940746B2 (en) 2004-08-24 2011-05-10 Comcast Cable Holdings, Llc Method and system for locating a voice over internet protocol (VoIP) device connected to a network
KR100636318B1 (en) * 2004-09-07 2006-10-18 삼성전자주식회사 Address Ownership Authentication Method and System Using the COA Binding Protocol
EP1921822A2 (en) * 2004-09-20 2008-05-14 Matsushita Electric Industrial Co., Ltd. Return routability optimisation
US7639802B2 (en) * 2004-09-27 2009-12-29 Cisco Technology, Inc. Methods and apparatus for bootstrapping Mobile-Foreign and Foreign-Home authentication keys in Mobile IP
US7441271B2 (en) 2004-10-20 2008-10-21 Seven Networks Method and apparatus for intercepting events in a communication system
US8010082B2 (en) 2004-10-20 2011-08-30 Seven Networks, Inc. Flexible billing architecture
US7502331B2 (en) * 2004-11-17 2009-03-10 Cisco Technology, Inc. Infrastructure-less bootstrapping: trustless bootstrapping to enable mobility for mobile devices
KR100677152B1 (en) * 2004-11-17 2007-02-02 삼성전자주식회사 Method of content delivery in home network using user binding
US7706781B2 (en) 2004-11-22 2010-04-27 Seven Networks International Oy Data security in a mobile e-mail service
FI117152B (en) 2004-12-03 2006-06-30 Seven Networks Internat Oy E-mail service provisioning method for mobile terminal, involves using domain part and further parameters to generate new parameter set in list of setting parameter sets, if provisioning of e-mail service is successful
KR20060087271A (en) * 2005-01-28 2006-08-02 엘지전자 주식회사 Secure transmission method of mobile subscriber authentication
US7877703B1 (en) 2005-03-14 2011-01-25 Seven Networks, Inc. Intelligent rendering of information in a limited display environment
CN100358282C (en) * 2005-03-23 2007-12-26 西安电子科技大学 Key agreement method in WAPI authentication mechanism
US8438633B1 (en) 2005-04-21 2013-05-07 Seven Networks, Inc. Flexible real-time inbox access
US7796742B1 (en) 2005-04-21 2010-09-14 Seven Networks, Inc. Systems and methods for simplified provisioning
US7907948B2 (en) * 2005-04-22 2011-03-15 Telefonaktiebolaget L M Ericsson (Publ) Providing anonymity to a mobile node in a session with a correspondent node
US7817622B2 (en) * 2005-05-19 2010-10-19 Nokia Corporation Unlicensed mobile access optimization
WO2006136660A1 (en) 2005-06-21 2006-12-28 Seven Networks International Oy Maintaining an ip connection in a mobile network
US7801517B2 (en) * 2005-06-29 2010-09-21 At&T Intellectual Property I, L.P. Methods, systems, and computer program products for implementing a roaming controlled wireless network and services
US8069166B2 (en) 2005-08-01 2011-11-29 Seven Networks, Inc. Managing user-to-user contact with inferred presence information
US8122240B2 (en) 2005-10-13 2012-02-21 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for establishing a security association
US20070101408A1 (en) * 2005-10-31 2007-05-03 Nakhjiri Madjid F Method and apparatus for providing authorization material
US7769395B2 (en) 2006-06-20 2010-08-03 Seven Networks, Inc. Location-based operations and messaging
CA2648780C (en) * 2006-04-25 2013-07-16 Stephen Laurence Boren Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks
US20080039086A1 (en) 2006-07-14 2008-02-14 Gallagher Michael D Generic Access to the Iu Interface
US20080076425A1 (en) 2006-09-22 2008-03-27 Amit Khetawat Method and apparatus for resource management
US8204502B2 (en) * 2006-09-22 2012-06-19 Kineto Wireless, Inc. Method and apparatus for user equipment registration
US8805425B2 (en) 2007-06-01 2014-08-12 Seven Networks, Inc. Integrated messaging
US8693494B2 (en) 2007-06-01 2014-04-08 Seven Networks, Inc. Polling
US8364181B2 (en) 2007-12-10 2013-01-29 Seven Networks, Inc. Electronic-mail filtering for mobile devices
ES2548868T3 (en) * 2007-12-11 2015-10-21 Telefonaktiebolaget L M Ericsson (Publ) Methods and apparatus for generating a radio base station key and a terminal identity authenticator in a cellular radio system
US8793305B2 (en) 2007-12-13 2014-07-29 Seven Networks, Inc. Content delivery to a mobile device from a content service
US9002828B2 (en) 2007-12-13 2015-04-07 Seven Networks, Inc. Predictive content delivery
US8107921B2 (en) 2008-01-11 2012-01-31 Seven Networks, Inc. Mobile virtual network operator
US8862657B2 (en) 2008-01-25 2014-10-14 Seven Networks, Inc. Policy based content service
US20090193338A1 (en) 2008-01-28 2009-07-30 Trevor Fiatal Reducing network and battery consumption during content delivery and playback
US20090262683A1 (en) 2008-04-18 2009-10-22 Amit Khetawat Method and Apparatus for Setup and Release of User Equipment Context Identifiers in a Home Node B System
US8498416B2 (en) * 2008-05-05 2013-07-30 Qualcomm Incorporated Validation of stored or incoming messages
US8548428B2 (en) 2009-01-28 2013-10-01 Headwater Partners I Llc Device group partitions and settlement platform
US8589541B2 (en) 2009-01-28 2013-11-19 Headwater Partners I Llc Device-assisted services for protecting network capacity
US8275830B2 (en) 2009-01-28 2012-09-25 Headwater Partners I Llc Device assisted CDR creation, aggregation, mediation and billing
US8832777B2 (en) 2009-03-02 2014-09-09 Headwater Partners I Llc Adapting network policies based on device service processor configuration
US8340634B2 (en) 2009-01-28 2012-12-25 Headwater Partners I, Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US8346225B2 (en) 2009-01-28 2013-01-01 Headwater Partners I, Llc Quality of service for device assisted services
US8402111B2 (en) 2009-01-28 2013-03-19 Headwater Partners I, Llc Device assisted services install
US8406748B2 (en) 2009-01-28 2013-03-26 Headwater Partners I Llc Adaptive ambient services
US8391834B2 (en) 2009-01-28 2013-03-05 Headwater Partners I Llc Security techniques for device assisted services
US8626115B2 (en) 2009-01-28 2014-01-07 Headwater Partners I Llc Wireless network service interfaces
US20100192170A1 (en) 2009-01-28 2010-07-29 Gregory G. Raleigh Device assisted service profile management with user preference, adaptive policy, network neutrality, and user privacy
US8787947B2 (en) 2008-06-18 2014-07-22 Seven Networks, Inc. Application discovery on mobile devices
US8078158B2 (en) 2008-06-26 2011-12-13 Seven Networks, Inc. Provisioning applications for a mobile device
US8909759B2 (en) 2008-10-10 2014-12-09 Seven Networks, Inc. Bandwidth measurement
US11218854B2 (en) 2009-01-28 2022-01-04 Headwater Research Llc Service plan design, user interfaces, application programming interfaces, and device management
US10057775B2 (en) 2009-01-28 2018-08-21 Headwater Research Llc Virtualized policy and charging system
US10779177B2 (en) 2009-01-28 2020-09-15 Headwater Research Llc Device group partitions and settlement platform
US11985155B2 (en) 2009-01-28 2024-05-14 Headwater Research Llc Communications device with secure data path processing agents
US9572019B2 (en) 2009-01-28 2017-02-14 Headwater Partners LLC Service selection set published to device agent with on-device service selection
US10264138B2 (en) 2009-01-28 2019-04-16 Headwater Research Llc Mobile device and service management
US11973804B2 (en) 2009-01-28 2024-04-30 Headwater Research Llc Network service plan design
US10064055B2 (en) 2009-01-28 2018-08-28 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US9565707B2 (en) 2009-01-28 2017-02-07 Headwater Partners I Llc Wireless end-user device with wireless data attribution to multiple personas
US9392462B2 (en) 2009-01-28 2016-07-12 Headwater Partners I Llc Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy
US9706061B2 (en) 2009-01-28 2017-07-11 Headwater Partners I Llc Service design center for device assisted services
US10326800B2 (en) 2009-01-28 2019-06-18 Headwater Research Llc Wireless network service interfaces
US10841839B2 (en) 2009-01-28 2020-11-17 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US10715342B2 (en) 2009-01-28 2020-07-14 Headwater Research Llc Managing service user discovery and service launch object placement on a device
US10798252B2 (en) 2009-01-28 2020-10-06 Headwater Research Llc System and method for providing user notifications
US9954975B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Enhanced curfew and protection associated with a device group
US9980146B2 (en) 2009-01-28 2018-05-22 Headwater Research Llc Communications device with secure data path processing agents
US10492102B2 (en) 2009-01-28 2019-11-26 Headwater Research Llc Intermediate networking devices
US9955332B2 (en) 2009-01-28 2018-04-24 Headwater Research Llc Method for child wireless device activation to subscriber account of a master wireless device
US10248996B2 (en) 2009-01-28 2019-04-02 Headwater Research Llc Method for operating a wireless end-user device mobile payment agent
US12166596B2 (en) 2009-01-28 2024-12-10 Disney Enterprises, Inc. Device-assisted services for protecting network capacity
US10484858B2 (en) 2009-01-28 2019-11-19 Headwater Research Llc Enhanced roaming services and converged carrier networks with device assisted services and a proxy
US10237757B2 (en) 2009-01-28 2019-03-19 Headwater Research Llc System and method for wireless network offloading
US9609510B2 (en) 2009-01-28 2017-03-28 Headwater Research Llc Automated credential porting for mobile devices
US10783581B2 (en) 2009-01-28 2020-09-22 Headwater Research Llc Wireless end-user device providing ambient or sponsored services
US10200541B2 (en) 2009-01-28 2019-02-05 Headwater Research Llc Wireless end-user device with divided user space/kernel space traffic policy system
US9270559B2 (en) 2009-01-28 2016-02-23 Headwater Partners I Llc Service policy implementation for an end-user device having a control application or a proxy agent for routing an application traffic flow
EP2355439A1 (en) * 2010-02-02 2011-08-10 Swisscom AG Accessing restricted services
WO2011126889A2 (en) 2010-03-30 2011-10-13 Seven Networks, Inc. 3d mobile user interface with configurable workspace management
US8838783B2 (en) 2010-07-26 2014-09-16 Seven Networks, Inc. Distributed caching for resource and mobile network traffic management
US8886176B2 (en) 2010-07-26 2014-11-11 Seven Networks, Inc. Mobile application traffic optimization
US9077630B2 (en) 2010-07-26 2015-07-07 Seven Networks, Inc. Distributed implementation of dynamic wireless traffic policy
EP2599003B1 (en) 2010-07-26 2018-07-11 Seven Networks, LLC Mobile network traffic coordination across multiple applications
US8448235B2 (en) * 2010-08-05 2013-05-21 Motorola Solutions, Inc. Method for key identification using an internet security association and key management based protocol
DE102010041804A1 (en) * 2010-09-30 2012-04-05 Siemens Aktiengesellschaft Method for secure data transmission with a VPN box
US9330196B2 (en) 2010-11-01 2016-05-03 Seven Networks, Llc Wireless traffic management system cache optimization using http headers
WO2012060995A2 (en) 2010-11-01 2012-05-10 Michael Luna Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
US8190701B2 (en) 2010-11-01 2012-05-29 Seven Networks, Inc. Cache defeat detection and caching of content addressed by identifiers intended to defeat cache
US8843153B2 (en) 2010-11-01 2014-09-23 Seven Networks, Inc. Mobile traffic categorization and policy for network use optimization while preserving user experience
US8326985B2 (en) 2010-11-01 2012-12-04 Seven Networks, Inc. Distributed management of keep-alive message signaling for mobile network resource conservation and optimization
US8903954B2 (en) 2010-11-22 2014-12-02 Seven Networks, Inc. Optimization of resource polling intervals to satisfy mobile device requests
GB2499534B (en) 2010-11-01 2018-09-19 Seven Networks Llc Caching adapted for mobile application behavior and network conditions
US8166164B1 (en) 2010-11-01 2012-04-24 Seven Networks, Inc. Application and network-based long poll request detection and cacheability assessment therefor
US8484314B2 (en) 2010-11-01 2013-07-09 Seven Networks, Inc. Distributed caching in a wireless network of content delivered for a mobile application over a long-held request
US9060032B2 (en) 2010-11-01 2015-06-16 Seven Networks, Inc. Selective data compression by a distributed traffic management system to reduce mobile data traffic and signaling traffic
EP2596658B1 (en) 2010-11-22 2018-05-09 Seven Networks, LLC Aligning data transfer to optimize connections established for transmission over a wireless network
US9325662B2 (en) 2011-01-07 2016-04-26 Seven Networks, Llc System and method for reduction of mobile network traffic used for domain name system (DNS) queries
EP2700021A4 (en) 2011-04-19 2016-07-20 Seven Networks Llc Shared resource and virtual resource management in a networked environment
EP2621144B1 (en) 2011-04-27 2014-06-25 Seven Networks, Inc. System and method for making requests on behalf of a mobile device based on atomic processes for mobile network traffic relief
US8621075B2 (en) 2011-04-27 2013-12-31 Seven Metworks, Inc. Detecting and preserving state for satisfying application requests in a distributed proxy and cache system
WO2013015995A1 (en) 2011-07-27 2013-01-31 Seven Networks, Inc. Automatic generation and distribution of policy information regarding malicious mobile traffic in a wireless network
EP2777239A1 (en) * 2011-11-07 2014-09-17 Option Establishing a communication session
US8934414B2 (en) 2011-12-06 2015-01-13 Seven Networks, Inc. Cellular or WiFi mobile traffic optimization based on public or private network destination
WO2013086225A1 (en) 2011-12-06 2013-06-13 Seven Networks, Inc. A mobile device and method to utilize the failover mechanisms for fault tolerance provided for mobile traffic management and network/device resource conservation
WO2013086447A1 (en) 2011-12-07 2013-06-13 Seven Networks, Inc. Radio-awareness of mobile device for sending server-side control signals using a wireless network optimized transport protocol
EP2788889A4 (en) 2011-12-07 2015-08-12 Seven Networks Inc Flexible and dynamic integration schemas of a traffic management system with various network operators for network traffic alleviation
US8861354B2 (en) 2011-12-14 2014-10-14 Seven Networks, Inc. Hierarchies and categories for management and deployment of policies for distributed wireless traffic optimization
US9832095B2 (en) 2011-12-14 2017-11-28 Seven Networks, Llc Operation modes for mobile traffic optimization and concurrent management of optimized and non-optimized traffic
WO2013090212A1 (en) 2011-12-14 2013-06-20 Seven Networks, Inc. Mobile network reporting and usage analytics system and method using aggregation of data in a distributed traffic optimization system
US8909202B2 (en) 2012-01-05 2014-12-09 Seven Networks, Inc. Detection and management of user interactions with foreground applications on a mobile device in distributed caching
US9203864B2 (en) 2012-02-02 2015-12-01 Seven Networks, Llc Dynamic categorization of applications for network access in a mobile network
US9326189B2 (en) 2012-02-03 2016-04-26 Seven Networks, Llc User as an end point for profiling and optimizing the delivery of content and data in a wireless network
US8812695B2 (en) 2012-04-09 2014-08-19 Seven Networks, Inc. Method and system for management of a virtual network connection without heartbeat messages
WO2013155208A1 (en) 2012-04-10 2013-10-17 Seven Networks, Inc. Intelligent customer service/call center services enhanced using real-time and historical mobile application and traffic-related statistics collected by a distributed caching system in a mobile network
US8775631B2 (en) 2012-07-13 2014-07-08 Seven Networks, Inc. Dynamic bandwidth adjustment for browsing or streaming activity in a wireless network based on prediction of user behavior when interacting with mobile applications
US9161258B2 (en) 2012-10-24 2015-10-13 Seven Networks, Llc Optimized and selective management of policy deployment to mobile clients in a congested network to prevent further aggravation of network congestion
US9307493B2 (en) 2012-12-20 2016-04-05 Seven Networks, Llc Systems and methods for application management of mobile device radio state promotion and demotion
US9241314B2 (en) 2013-01-23 2016-01-19 Seven Networks, Llc Mobile device with application or context aware fast dormancy
US8874761B2 (en) 2013-01-25 2014-10-28 Seven Networks, Inc. Signaling optimization in a wireless network for traffic utilizing proprietary and non-proprietary protocols
US9326185B2 (en) 2013-03-11 2016-04-26 Seven Networks, Llc Mobile network congestion recognition for optimization of mobile traffic
US9065765B2 (en) 2013-07-22 2015-06-23 Seven Networks, Inc. Proxy server associated with a mobile carrier for enhancing mobile traffic management in a mobile network
US11172360B2 (en) * 2017-10-13 2021-11-09 Qualcomm Incorporated Transfer of security protected configuration data from HPLMN

Citations (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5875394A (en) * 1996-12-27 1999-02-23 At & T Wireless Services Inc. Method of mutual authentication for secure wireless service provision
US6104928A (en) * 1997-10-07 2000-08-15 Nortel Dasa Network System Gmbh & Co. Kg Dual network integration scheme
US6128389A (en) * 1997-01-31 2000-10-03 Synacom Technology, Inc. Authentication key management system and method
USRE36946E (en) * 1993-11-02 2000-11-07 Sun Microsystems, Inc. Method and apparatus for privacy and authentication in wireless networks
US6225888B1 (en) * 1997-12-08 2001-05-01 Nokia Telecommunications Oy Authentication between communicating parties in a telecommunications network
US20010055394A1 (en) * 2000-05-24 2001-12-27 Veijo Vanttinen Method for processing location information relating to a terminal connected to a packet network via a cellular network
US20020012433A1 (en) * 2000-03-31 2002-01-31 Nokia Corporation Authentication in a packet data network
US20020018569A1 (en) * 1998-12-04 2002-02-14 Prakash Panjwani Enhanced subscriber authentication protocol
US20020066036A1 (en) * 2000-11-13 2002-05-30 Gowri Makineni System and method for secure network mobility
US6408175B1 (en) * 1998-03-03 2002-06-18 Lg Information & Communications Ltd. Method of managing mobile station operational parameters
US20020077078A1 (en) * 1999-02-11 2002-06-20 Huima Antti Method of securing communication
US20020075812A1 (en) * 2000-12-14 2002-06-20 Corwin Susan Julia Mobile agent connectivity
US20020101859A1 (en) * 2000-09-12 2002-08-01 Maclean Ian B. Communicating between nodes in different wireless networks
US20020147820A1 (en) * 2001-04-06 2002-10-10 Docomo Communications Laboratories Usa, Inc. Method for implementing IP security in mobile IP networks
US20020157024A1 (en) * 2001-04-06 2002-10-24 Aki Yokote Intelligent security association management server for mobile IP networks
US20020161723A1 (en) * 2000-09-11 2002-10-31 Nadarajah Asokan System and method of secure authentication and billing for goods and services using a cellular telecommunication and an authorization infrastructure
US20020164026A1 (en) * 1999-02-11 2002-11-07 Antti Huima An authentication method
US20020178358A1 (en) * 2001-02-23 2002-11-28 Perkins Charles E. System and method for strong authentication achieved in a single round trip
US6496704B2 (en) * 1997-01-07 2002-12-17 Verizon Laboratories Inc. Systems and methods for internetworking data networks having mobility management functions
US20020191548A1 (en) * 2001-03-22 2002-12-19 Tatu Ylonen Security system for a data communications network
US20020191572A1 (en) * 2001-06-04 2002-12-19 Nec Usa, Inc. Apparatus for public access mobility lan and method of operation thereof
US20020197979A1 (en) * 2001-05-22 2002-12-26 Vanderveen Michaela Catalina Authentication system for mobile entities
US20030012382A1 (en) * 2000-02-08 2003-01-16 Azim Ferchichi Single sign-on process
US20030031151A1 (en) * 2001-08-10 2003-02-13 Mukesh Sharma System and method for secure roaming in wireless local area networks
US20030051041A1 (en) * 2001-08-07 2003-03-13 Tatara Systems, Inc. Method and apparatus for integrating billing and authentication functions in local area and wide area wireless data networks
US20030051140A1 (en) * 2001-09-13 2003-03-13 Buddhikot Milind M. Scheme for authentication and dynamic key exchange
US20030091013A1 (en) * 2001-11-07 2003-05-15 Samsung Electronics Co., Ltd. Authentication method between mobile node and home agent in a wireless communication system
US20030147532A1 (en) * 2002-02-07 2003-08-07 Tomi Hakkarainen Hybrid network encrypt/decrypt scheme
US20030147537A1 (en) * 2002-02-07 2003-08-07 Dongfeng Jing Secure key distribution protocol in AAA for mobile IP
US20030157926A1 (en) * 2000-03-31 2003-08-21 Juha Ala-Laurila Billing in a packet data network
US20040015692A1 (en) * 2000-08-03 2004-01-22 Green Mark Raymond Authentication in a mobile communications network
US20040054794A1 (en) * 2000-06-29 2004-03-18 Jorgen Lantto Method and arrangement to secure access to a communications network
US6711147B1 (en) * 1999-04-01 2004-03-23 Nortel Networks Limited Merged packet service and mobile internet protocol
US20040090972A1 (en) * 2001-04-12 2004-05-13 Barrett Mark A Hybrid network
US6769000B1 (en) * 1999-09-08 2004-07-27 Nortel Networks Limited Unified directory services architecture for an IP mobility architecture framework
US20040151322A1 (en) * 2001-06-05 2004-08-05 Sampo Sovio Method and arrangement for efficient information network key exchange
US6931529B2 (en) * 2001-01-05 2005-08-16 International Business Machines Corporation Establishing consistent, end-to-end protection for a user datagram
US6937731B2 (en) * 2001-03-13 2005-08-30 Mitake Information Corporation End to end real-time encrypting process of a mobile commerce WAP data transmission section and the module of the same
US6986061B1 (en) * 2000-11-20 2006-01-10 International Business Machines Corporation Integrated system for network layer security and fine-grained identity-based access control
US7028186B1 (en) * 2000-02-11 2006-04-11 Nokia, Inc. Key management methods for wireless LANs
US7079499B1 (en) * 1999-09-08 2006-07-18 Nortel Networks Limited Internet protocol mobility architecture framework
US20060168210A1 (en) * 2001-04-03 2006-07-27 Pasi Ahonen Facilitating legal interception of ip connections
US7136645B2 (en) * 1998-10-09 2006-11-14 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI980291L (en) * 1998-02-09 1999-08-10 Nokia Mobile Phones Ltd Mobile internet access
SE519474C2 (en) * 1998-04-28 2003-03-04 Telia Ab Method of transmitting data over a cellular mobile radio communication system

Patent Citations (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
USRE36946E (en) * 1993-11-02 2000-11-07 Sun Microsystems, Inc. Method and apparatus for privacy and authentication in wireless networks
US5875394A (en) * 1996-12-27 1999-02-23 At & T Wireless Services Inc. Method of mutual authentication for secure wireless service provision
US6496704B2 (en) * 1997-01-07 2002-12-17 Verizon Laboratories Inc. Systems and methods for internetworking data networks having mobility management functions
US6128389A (en) * 1997-01-31 2000-10-03 Synacom Technology, Inc. Authentication key management system and method
US6104928A (en) * 1997-10-07 2000-08-15 Nortel Dasa Network System Gmbh & Co. Kg Dual network integration scheme
US6225888B1 (en) * 1997-12-08 2001-05-01 Nokia Telecommunications Oy Authentication between communicating parties in a telecommunications network
US6408175B1 (en) * 1998-03-03 2002-06-18 Lg Information & Communications Ltd. Method of managing mobile station operational parameters
US7136645B2 (en) * 1998-10-09 2006-11-14 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
US20020018569A1 (en) * 1998-12-04 2002-02-14 Prakash Panjwani Enhanced subscriber authentication protocol
US7123721B2 (en) * 1998-12-04 2006-10-17 Certicom Corp. Enhanced subscriber authentication protocol
US20020077078A1 (en) * 1999-02-11 2002-06-20 Huima Antti Method of securing communication
US7120422B2 (en) * 1999-02-11 2006-10-10 Nokia Corporation Method, element and system for securing communication between two parties
US20020164026A1 (en) * 1999-02-11 2002-11-07 Antti Huima An authentication method
US20020102964A1 (en) * 1999-03-03 2002-08-01 Lg Information & Communications, Ltd. Method of managing mobile station operational parameters
US6839553B2 (en) * 1999-03-03 2005-01-04 Lg Information & Communications, Ltd. Method of managing mobile station operational parameters
US6711147B1 (en) * 1999-04-01 2004-03-23 Nortel Networks Limited Merged packet service and mobile internet protocol
US7079499B1 (en) * 1999-09-08 2006-07-18 Nortel Networks Limited Internet protocol mobility architecture framework
US6769000B1 (en) * 1999-09-08 2004-07-27 Nortel Networks Limited Unified directory services architecture for an IP mobility architecture framework
US20030012382A1 (en) * 2000-02-08 2003-01-16 Azim Ferchichi Single sign-on process
US7058180B2 (en) * 2000-02-08 2006-06-06 Swisscom Mobile Ag Single sign-on process
US7028186B1 (en) * 2000-02-11 2006-04-11 Nokia, Inc. Key management methods for wireless LANs
US7107620B2 (en) * 2000-03-31 2006-09-12 Nokia Corporation Authentication in a packet data network
US20030157926A1 (en) * 2000-03-31 2003-08-21 Juha Ala-Laurila Billing in a packet data network
US20020012433A1 (en) * 2000-03-31 2002-01-31 Nokia Corporation Authentication in a packet data network
US20010055394A1 (en) * 2000-05-24 2001-12-27 Veijo Vanttinen Method for processing location information relating to a terminal connected to a packet network via a cellular network
US7152160B2 (en) * 2000-06-29 2006-12-19 Alice Systems Ab Method and arrangement to secure access to a communications network
US20040054794A1 (en) * 2000-06-29 2004-03-18 Jorgen Lantto Method and arrangement to secure access to a communications network
US20040015692A1 (en) * 2000-08-03 2004-01-22 Green Mark Raymond Authentication in a mobile communications network
US20020161723A1 (en) * 2000-09-11 2002-10-31 Nadarajah Asokan System and method of secure authentication and billing for goods and services using a cellular telecommunication and an authorization infrastructure
US20020101859A1 (en) * 2000-09-12 2002-08-01 Maclean Ian B. Communicating between nodes in different wireless networks
US20020066036A1 (en) * 2000-11-13 2002-05-30 Gowri Makineni System and method for secure network mobility
US6986061B1 (en) * 2000-11-20 2006-01-10 International Business Machines Corporation Integrated system for network layer security and fine-grained identity-based access control
US20020075812A1 (en) * 2000-12-14 2002-06-20 Corwin Susan Julia Mobile agent connectivity
US6931529B2 (en) * 2001-01-05 2005-08-16 International Business Machines Corporation Establishing consistent, end-to-end protection for a user datagram
US20020178358A1 (en) * 2001-02-23 2002-11-28 Perkins Charles E. System and method for strong authentication achieved in a single round trip
US6937731B2 (en) * 2001-03-13 2005-08-30 Mitake Information Corporation End to end real-time encrypting process of a mobile commerce WAP data transmission section and the module of the same
US20020191548A1 (en) * 2001-03-22 2002-12-19 Tatu Ylonen Security system for a data communications network
US20060168210A1 (en) * 2001-04-03 2006-07-27 Pasi Ahonen Facilitating legal interception of ip connections
US20020147820A1 (en) * 2001-04-06 2002-10-10 Docomo Communications Laboratories Usa, Inc. Method for implementing IP security in mobile IP networks
US20020157024A1 (en) * 2001-04-06 2002-10-24 Aki Yokote Intelligent security association management server for mobile IP networks
US20040090972A1 (en) * 2001-04-12 2004-05-13 Barrett Mark A Hybrid network
US20020197979A1 (en) * 2001-05-22 2002-12-26 Vanderveen Michaela Catalina Authentication system for mobile entities
US20020191572A1 (en) * 2001-06-04 2002-12-19 Nec Usa, Inc. Apparatus for public access mobility lan and method of operation thereof
US20040151322A1 (en) * 2001-06-05 2004-08-05 Sampo Sovio Method and arrangement for efficient information network key exchange
US7171460B2 (en) * 2001-08-07 2007-01-30 Tatara Systems, Inc. Method and apparatus for integrating billing and authentication functions in local area and wide area wireless data networks
US20030051041A1 (en) * 2001-08-07 2003-03-13 Tatara Systems, Inc. Method and apparatus for integrating billing and authentication functions in local area and wide area wireless data networks
US20030031151A1 (en) * 2001-08-10 2003-02-13 Mukesh Sharma System and method for secure roaming in wireless local area networks
US20030051140A1 (en) * 2001-09-13 2003-03-13 Buddhikot Milind M. Scheme for authentication and dynamic key exchange
US7065067B2 (en) * 2001-11-07 2006-06-20 Samsung Electronics Co., Ltd. Authentication method between mobile node and home agent in a wireless communication system
US20030091013A1 (en) * 2001-11-07 2003-05-15 Samsung Electronics Co., Ltd. Authentication method between mobile node and home agent in a wireless communication system
US20030147532A1 (en) * 2002-02-07 2003-08-07 Tomi Hakkarainen Hybrid network encrypt/decrypt scheme
US20030147537A1 (en) * 2002-02-07 2003-08-07 Dongfeng Jing Secure key distribution protocol in AAA for mobile IP

Cited By (133)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040023641A1 (en) * 2002-03-22 2004-02-05 Takayuki Tsutsumi Telephone system
US6904277B2 (en) * 2002-03-22 2005-06-07 Nec Infrontia Corporation Telephone system
US20050154909A1 (en) * 2002-04-26 2005-07-14 Junbiao Zhang Certificate based authentication authorization accounting scheme for loose coupling interworking
US7735126B2 (en) * 2002-04-26 2010-06-08 Thomson Licensing Certificate based authentication authorization accounting scheme for loose coupling interworking
US8468354B2 (en) 2002-06-06 2013-06-18 Thomson Licensing Broker-based interworking using hierarchical certificates
US20040008689A1 (en) * 2002-06-20 2004-01-15 Cedric Westphal QoS signaling for mobile IP
US20080186923A1 (en) * 2002-06-20 2008-08-07 Spyder Navigations L.L.C. Qos signaling for mobile ip
US7453851B2 (en) * 2002-06-20 2008-11-18 Spyder Navigations L.L.C. QoS signaling for mobile IP
US7813343B2 (en) 2002-06-20 2010-10-12 Cedric Westphal QoS signaling for mobile IP
US7243154B2 (en) * 2002-06-27 2007-07-10 Intel Corporation Dynamically adaptable communications processor architecture and associated methods
US20040003100A1 (en) * 2002-06-27 2004-01-01 Feuerstraeter Mark T. Dynamically adaptable communications processor architecture and associated methods
US20060161771A1 (en) * 2002-08-14 2006-07-20 Junbiao Zhang Session key management for public wireless lan supporting multiple virtual operators
US20070226499A1 (en) * 2002-08-14 2007-09-27 Thomson Licensing Session key management for public wireless lan supporting multiple virtual operators
US7239864B2 (en) * 2002-08-14 2007-07-03 Thomson Licensing Session key management for public wireless LAN supporting multiple virtual operators
US8145193B2 (en) * 2002-08-14 2012-03-27 Thomson Licensing Session key management for public wireless LAN supporting multiple virtual operators
US20040047308A1 (en) * 2002-08-16 2004-03-11 Alan Kavanagh Secure signature in GPRS tunnelling protocol (GTP)
US20040203602A1 (en) * 2002-09-12 2004-10-14 Broadcom Corporation Enabling and controlling access to wireless hot spots
US20050260972A1 (en) * 2002-09-12 2005-11-24 Broadcom Corporation Enabling and controlling access to wireless hot spots
US9143956B2 (en) 2002-09-24 2015-09-22 Hewlett-Packard Development Company, L.P. System and method for monitoring and enforcing policy within a wireless network
US7804826B1 (en) * 2002-11-15 2010-09-28 Nortel Networks Limited Mobile IP over VPN communication protocol
US9300634B2 (en) 2002-11-15 2016-03-29 Apple Inc. Mobile IP over VPN communication protocol
US8594024B2 (en) 2002-11-15 2013-11-26 Apple Inc. Mobile IP over VPN communication protocol
US20040103282A1 (en) * 2002-11-26 2004-05-27 Robert Meier 802.11 Using a compressed reassociation exchange to facilitate fast handoff
US7350077B2 (en) * 2002-11-26 2008-03-25 Cisco Technology, Inc. 802.11 using a compressed reassociation exchange to facilitate fast handoff
US7069000B1 (en) * 2003-02-10 2006-06-27 Flarion Technologies, Inc. Security methods for use in a wireless communications system
US7392056B2 (en) 2003-02-10 2008-06-24 Qualcomm Incorporated Methods and apparatus for updating mobile node location information
US20040157619A1 (en) * 2003-02-10 2004-08-12 Corson M. Scott Methods and apparatus for updating mobile node location information
US7016690B2 (en) 2003-02-10 2006-03-21 Flarion Technologies, Inc. Methods and apparatus for updating mobile node location information
US20060112183A1 (en) * 2003-02-10 2006-05-25 Corson M S Methods and apparatus for updating mobile node location information
US20040157626A1 (en) * 2003-02-10 2004-08-12 Vincent Park Paging methods and apparatus
US20070060175A1 (en) * 2003-02-10 2007-03-15 Vincent Park Paging methods and apparatus
US20090028118A1 (en) * 2003-02-18 2009-01-29 Airwave Wireless, Inc. Methods, apparatuses and systems facilitating management of airspace in wireless computer network environments
US9356761B2 (en) 2003-02-18 2016-05-31 Aruba Networks, Inc. Methods, apparatuses and systems facilitating management of airspace in wireless computer network environments
US8576812B2 (en) 2003-02-18 2013-11-05 Aruba Networks, Inc. Methods, apparatuses and systems facilitating management of airspace in wireless computer network environments
US20090235354A1 (en) * 2003-02-18 2009-09-17 Aruba Networks, Inc. Method for detecting rogue devices operating in wireless and wired computer network environments
US9137670B2 (en) 2003-02-18 2015-09-15 Hewlett-Packard Development Company, L.P. Method for detecting rogue devices operating in wireless and wired computer network environments
US20060242414A1 (en) * 2003-04-02 2006-10-26 Corson M S Security methods for use in a wireless communications system
US7729686B2 (en) 2003-04-02 2010-06-01 Qualcomm Incorporated Security methods for use in a wireless communications system
US7343158B2 (en) * 2003-04-16 2008-03-11 Nortel Networks Limited Home agent redirection for mobile IP
US20040208187A1 (en) * 2003-04-16 2004-10-21 Jerry Mizell Home agent redirection for mobile IP
US20060007897A1 (en) * 2003-05-15 2006-01-12 Matsushita Electric Industrial Co.,Ltd. Radio lan access authentication system
US7127234B2 (en) * 2003-05-15 2006-10-24 Matsushita Electric Industrial Co., Ltd. Radio LAN access authentication system
US20070186000A1 (en) * 2003-05-23 2007-08-09 Pekka Nikander Secure traffic redirection in a mobile communication system
US7962122B2 (en) * 2003-05-23 2011-06-14 Telefonaktiebolaget Lm Ericsson (Publ) Secure traffic redirection in a mobile communication system
US7934094B2 (en) 2003-06-18 2011-04-26 Telefonaktiebolaget Lm Ericsson (Publ) Method, system and apparatus to support mobile IP version 6 services
US20070124592A1 (en) * 2003-06-18 2007-05-31 Johnson Oyama method, system and apparatus to support mobile ip version 6 services
EP1494395A1 (en) * 2003-07-01 2005-01-05 Alcatel Method and authentication module for providing access to a target network via a wireless local area network WLAN
US20050076198A1 (en) * 2003-10-02 2005-04-07 Apacheta Corporation Authentication system
DE10346086B4 (en) * 2003-10-04 2006-12-14 Fritz Paul Method for data communication between a user's mobile data terminal (ME) and a destination data network
DE10346086A1 (en) * 2003-10-04 2005-04-28 Fritz Paul Data communication method between user's mobile data terminal and destination data network, using network element with access to subscriber-specific data sets, and in which useful data are unencrypted
JP2016021777A (en) * 2003-10-29 2016-02-04 インターデイジタル テクノロジー コーポレーション Method for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units
US10149264B2 (en) 2003-10-29 2018-12-04 Interdigital Technology Corporation Method and apparatus for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units
US20050096072A1 (en) * 2003-10-29 2005-05-05 Interdigital Technology Corporation Method and apparatus for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units
US8526978B2 (en) 2003-10-29 2013-09-03 Interdigital Technology Corporation Method and apparatus for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units
US10841891B2 (en) 2003-10-29 2020-11-17 Interdigital Technology Corporation Method and apparatus for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units
US9094930B2 (en) 2003-10-29 2015-07-28 Interdigital Technology Corporation Method and apparatus for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units
US10349369B2 (en) 2003-10-29 2019-07-09 Interdigital Technology Corporation Method and apparatus for efficiently delivering supplementary services to multi-technology capable wireless transmit/receive units
US20050114448A1 (en) * 2003-11-03 2005-05-26 Apacheta Corporation System and method for delegation of data processing tasks based on device physical attributes and spatial behavior
US20070011334A1 (en) * 2003-11-03 2007-01-11 Steven Higgins Methods and apparatuses to provide composite applications
US20070067373A1 (en) * 2003-11-03 2007-03-22 Steven Higgins Methods and apparatuses to provide mobile applications
US7945675B2 (en) 2003-11-03 2011-05-17 Apacheta Corporation System and method for delegation of data processing tasks based on device physical attributes and spatial behavior
US20050144474A1 (en) * 2003-11-26 2005-06-30 F-Secure Oyj Securing a data transmission channel
US8136165B2 (en) * 2003-11-26 2012-03-13 Tectia Corporation Securing a data transmission channel
US20070230453A1 (en) * 2004-02-06 2007-10-04 Telecom Italia S.P.A. Method and System for the Secure and Transparent Provision of Mobile Ip Services in an Aaa Environment
WO2005076564A1 (en) * 2004-02-06 2005-08-18 Telecom Italia S.P.A. Method and system for the secure and transparent provision of mobile ip services in an aaa environment
US20070198835A1 (en) * 2004-03-31 2007-08-23 British Telecommunications Public Limited Company Adaptive closed group caricaturing
WO2005096591A1 (en) * 2004-03-31 2005-10-13 British Telecommunications Public Limited Company Authorisation
EP1587250A1 (en) * 2004-04-14 2005-10-19 AboCom Systems, Inc. VPN accelerator card for secure roaming
US20050232429A1 (en) * 2004-04-14 2005-10-20 Kuntal Chowdhury Securing home agent to mobile node communication with HA-MN key
US8126148B2 (en) * 2004-04-14 2012-02-28 Rockstar Bidco Lp Securing home agent to mobile node communication with HA-MN key
US8549294B2 (en) 2004-04-14 2013-10-01 Apple Inc. Securing home agent to mobile node communication with HA-MN key
JP2007534267A (en) * 2004-04-23 2007-11-22 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Support for DHCP
US20050281194A1 (en) * 2004-06-22 2005-12-22 Sonoda David H Flexible M:N redundancy mechanism for packet inspection engine
US7586838B2 (en) 2004-06-22 2009-09-08 Skylead Assets Limited Flexible M:N redundancy mechanism for packet inspection engine
US20060008064A1 (en) * 2004-07-08 2006-01-12 Michael Sangillo Flexible traffic rating interworking
US20060007928A1 (en) * 2004-07-08 2006-01-12 Michael Sangillo Flexible traffic rating interworking
US20070201455A1 (en) * 2004-07-15 2007-08-30 Siemens Aktiengesellschaft Head Office And Plurality Of Branches Connected Via A Network
US9025596B2 (en) * 2004-07-15 2015-05-05 Unify Gmbh & Co. Kg Head office and plurality of branches connected via a network
US20060025177A1 (en) * 2004-07-28 2006-02-02 Mediatek Inc. Mobile communication apparatus having anti-theft and auto-notification functions
US7574235B2 (en) * 2004-07-28 2009-08-11 Mediatek Inc. Mobile communication apparatus having anti-theft and auto-notification functions
CN100413269C (en) * 2004-10-29 2008-08-20 卡米尔资讯股份有限公司 System and method for mobile terminal to access network host
WO2006055933A2 (en) * 2004-11-18 2006-05-26 Azaire Networks Inc. Maintaining consistent network connections using a secondary pdp context
WO2006055933A3 (en) * 2004-11-18 2006-12-07 Azaire Networks Inc Maintaining consistent network connections using a secondary pdp context
US20060130136A1 (en) * 2004-12-01 2006-06-15 Vijay Devarapalli Method and system for providing wireless data network interworking
WO2006059216A1 (en) * 2004-12-01 2006-06-08 Nokia Corporation Method and system for providing wireless data network interworking
US20060120305A1 (en) * 2004-12-06 2006-06-08 Alcatel Remote management method, a related auto configuration server, a related further auto configuration server, a related routing gateway and a related device
US8125894B2 (en) * 2004-12-06 2012-02-28 Alcatel Lucent Remote management method, a related auto configuration server, a related further auto configuration server, a related routing gateway and a related device
US20060126809A1 (en) * 2004-12-13 2006-06-15 Halpern Joel M HTTP extension header for metering information
US7266116B2 (en) 2004-12-13 2007-09-04 Skylead Assets Limited HTTP extension header for metering information
US20060209800A1 (en) * 2005-02-18 2006-09-21 Samsung Electronics Co.; Ltd Network system for interworking W-LAN and 3G mobile communication network through RoF link and authentication method according to interworking in the network system
US7653039B2 (en) * 2005-02-18 2010-01-26 Samsung Electronics Co., Ltd. Network system for interworking W-LAN and 3G mobile communication network through RoF link and authentication method according to interworking in the network system
CN100389555C (en) * 2005-02-21 2008-05-21 西安西电捷通无线网络通信有限公司 An Access Authentication Method Suitable for Wired and Wireless Networks
US7376113B2 (en) * 2005-04-01 2008-05-20 Arubs Networks, Inc. Mechanism for securely extending a private network
US20060221916A1 (en) * 2005-04-01 2006-10-05 Taylor John R Wireless virtual private network
US7885659B2 (en) 2005-05-10 2011-02-08 Network Equipment Technologies, Inc. LAN-based UMA network controller with local services support
US20060276137A1 (en) * 2005-05-10 2006-12-07 Network Equipment Technologies, Inc. LAN-based UMA network controller with local services support
WO2006122213A3 (en) * 2005-05-10 2007-11-01 Network Equipment Tech Lan-based uma network controller with aggregated transport
US8224333B2 (en) 2005-05-10 2012-07-17 Network Equipment Technologies, Inc. LAN-based UMA network controller with aggregated transport
US20060276139A1 (en) * 2005-05-10 2006-12-07 Network Equipment Technologies, Inc. LAN-based UMA network controller with aggregated transport
US8750827B2 (en) 2005-05-10 2014-06-10 Network Equipment Technologies, Inc. LAN-based UMA network controller with aggregated transport
US8380167B2 (en) 2005-05-10 2013-02-19 Network Equipment Technologies, Inc. LAN-based UMA network controller with proxy connection
US20060294204A1 (en) * 2005-06-28 2006-12-28 Kotzin Michael D Methods and devices for redirecting subscriber communication
US20070033643A1 (en) * 2005-07-19 2007-02-08 Ssh Communications Security Corp. User authentication in connection with a security protocol
US9160830B2 (en) * 2005-07-25 2015-10-13 Mediatek Inc. Mobile communication apparatus having anti-theft and auto-notification functions
US20070082705A1 (en) * 2005-07-25 2007-04-12 Mediatek Inc. Mobile communication apparatus having anti-theft and auto-notification functions
US20070036110A1 (en) * 2005-08-10 2007-02-15 Alcatel Access control of mobile equipment to an IP communication network with dynamic modification of the access policies
US8627092B2 (en) * 2006-03-22 2014-01-07 Lg Electronics Inc. Asymmetric cryptography for wireless systems
US20100293372A1 (en) * 2006-03-22 2010-11-18 Patrick Fischer Asymmetric cryptography for wireless systems
US9106409B2 (en) * 2006-03-28 2015-08-11 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for handling keys used for encryption and integrity
US20150312232A1 (en) * 2006-03-28 2015-10-29 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for handling keys used for encryption and integrity
US9641494B2 (en) * 2006-03-28 2017-05-02 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for handling keys used for encryption and integrity
US20070230707A1 (en) * 2006-03-28 2007-10-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for handling keys used for encryption and integrity
US20090070854A1 (en) * 2006-05-13 2009-03-12 Huawei Technologies Co., Ltd. Method, apparatus and network for negotiating mip capability
US20080056286A1 (en) * 2006-08-29 2008-03-06 Nokia Corporation Evaluating a communication interface
US7839871B2 (en) * 2006-08-29 2010-11-23 Nokia Corporation Evaluating a communication interface
US9357371B2 (en) 2006-10-02 2016-05-31 Aruba Networks, Inc. System and method for adaptive channel scanning within a wireless network
US20080080420A1 (en) * 2006-10-02 2008-04-03 Aruba Wireless Networks System and method for adaptive channel scanning within a wireless network
US8817813B2 (en) 2006-10-02 2014-08-26 Aruba Networks, Inc. System and method for adaptive channel scanning within a wireless network
US20080205649A1 (en) * 2007-01-08 2008-08-28 S&C Electric Co. Power distribution system secure access communication system and method
US8351606B2 (en) * 2007-01-08 2013-01-08 S&C Electric Company Power distribution system secure access communication system and method
US20090168788A1 (en) * 2007-12-31 2009-07-02 Minsh Den Network address translation for tunnel mobility
US8345694B2 (en) * 2007-12-31 2013-01-01 Airvana, Corp. Network address translation for tunnel mobility
US20100088399A1 (en) * 2008-10-03 2010-04-08 Yoel Gluck Enterprise security setup with prequalified and authenticated peer group enabled for secure DHCP and secure ARP/RARP
US20120051321A1 (en) * 2010-08-24 2012-03-01 Clear Wireless Llc Method for seamless ip session continuity for multi-mode mobile stations
US8621649B1 (en) * 2011-03-31 2013-12-31 Emc Corporation Providing a security-sensitive environment
US9661493B2 (en) 2013-02-22 2017-05-23 Samsung Electronics Co., Ltd. Apparatus and method for providing a wireless communication in a portable terminal
EP2988538A1 (en) * 2014-08-12 2016-02-24 Vodafone IP Licensing limited Machine-to-machine cellular communication security for authentication and key agreement using ggsn
US9992670B2 (en) 2014-08-12 2018-06-05 Vodafone Ip Licensing Limited Machine-to-machine cellular communication security
CN106211100A (en) * 2014-08-12 2016-12-07 沃达方Ip许可有限公司 The cellular communication safety of machine to machine
GB2531862A (en) * 2014-08-12 2016-05-04 Vodafone Ip Licensing Ltd Machine-to-machine cellular communication security
US10455414B2 (en) * 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
US10992709B2 (en) * 2015-07-28 2021-04-27 Citrix Systems, Inc. Efficient use of IPsec tunnels in multi-path environment
US20210345106A1 (en) * 2019-01-25 2021-11-04 Kabushiki Kaisha Toshiba Communication control device and communication control system

Also Published As

Publication number Publication date
US7389412B2 (en) 2008-06-17
WO2003015360A3 (en) 2003-09-25
WO2003015360A2 (en) 2003-02-20
AU2002326642A1 (en) 2003-02-24

Similar Documents

Publication Publication Date Title
US7389412B2 (en) System and method for secure network roaming
US9544282B2 (en) Changing group member reachability information
US20030031151A1 (en) System and method for secure roaming in wireless local area networks
JP4377409B2 (en) Method, system and apparatus for supporting Mobile IP (Mobile IP) version 6 service
AU2003295466B2 (en) 802.11using a compressed reassociation exchange to facilitate fast handoff
EP1495621B1 (en) Security transmission protocol for a mobility ip network
US6915345B1 (en) AAA broker specification and protocol
US8667151B2 (en) Bootstrapping method for setting up a security association
CN103188351B (en) IPSec VPN traffic method for processing business and system under IPv6 environment
US20030028763A1 (en) Modular authentication and authorization scheme for internet protocol
WO2007005101A2 (en) System and method for establishing a shared key between network peers
KR20060031813A (en) Method, system and device for supporting mobile IP version 6 service in CDMA system
CN101180848A (en) Secure Handover in WLAN
Jacob et al. Security of current Mobile IP solutions
US20070157305A1 (en) Controlling the number of internet protocol security (IPsec) security associations
JP2003115834A (en) Security association cutting/continuing method and communication system
Sithirasenan et al. EAP-CRA for WiMAX, WLAN and 4G LTE Interoperability
Jiang et al. Network Security in RWNs
CN119342458A (en) Protection of application metadata in transport protocols
Xenakis et al. Alternative Schemes for Dynamic Secure VPN Deployment in UMTS
KR100596397B1 (en) Session Key Distribution Method of Radius-based AAA Server in Mobile IPv6 Environment
Park et al. Secure firewall traversal in mobile IP network
Sanchez et al. Optimization of the Establishment of Secure Communication Channels in Wireless Mobile Networks
KR20090065023A (en) Internet Security Protocol Tunnel Mode Handling
Ramezani Coordinated Robust Authentication In Wireless Networks

Legal Events

Date Code Title Description
AS Assignment

Owner name: MEGISTO SYSTEMS, MARYLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SHARMA, MUKESH;SKISCIM, CHRISTOPHER;ROBERTS, PHILIP;AND OTHERS;REEL/FRAME:013212/0320

Effective date: 20020801

AS Assignment

Owner name: SKYLEAD ASSETS LIMITED, VIRGIN ISLANDS, BRITISH

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MEGISTO SYSTEMS, INC.;REEL/FRAME:016798/0620

Effective date: 20050627

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: SYNIVERSE TECHNOLOGIES, INC., FLORIDA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SKYLEAD ASSETS LIMITED;REEL/FRAME:026145/0641

Effective date: 20110413

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: SYNIVERSE TECHNOLOGIES, LLC, FLORIDA

Free format text: CHANGE OF NAME;ASSIGNOR:SYNIVERSE TECHNOLOGIES, INC.;REEL/FRAME:028053/0843

Effective date: 20120229

AS Assignment

Owner name: BARCLAYS BANK PLC, NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNOR:SYNIVERSE TECHNOLOGIES, LLC;REEL/FRAME:028097/0801

Effective date: 20120423

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: BARCLAYS BANK PLC, AS ADMINISTRATIVE AGENT, NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:SYNIVERSE TECHNOLOGIES, LLC;REEL/FRAME:045176/0670

Effective date: 20180309

Owner name: BARCLAYS BANK PLC, AS ADMINISTRATIVE AGENT, NEW YO

Free format text: SECURITY INTEREST;ASSIGNOR:SYNIVERSE TECHNOLOGIES, LLC;REEL/FRAME:045176/0670

Effective date: 20180309

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12

AS Assignment

Owner name: SYNIVERSE TECHNOLOGIES, LLC, FLORIDA

Free format text: TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:BARCLAYS BANK PLC, AS COLLATERAL AGENT;REEL/FRAME:060064/0454

Effective date: 20220513

Owner name: SYNIVERSE TECHNOLOGIES, LLC, FLORIDA

Free format text: TERMINATION AND RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:BARCLAYS BANK PLC, AS COLLATERAL AGENT;REEL/FRAME:060064/0447

Effective date: 20220513

AS Assignment

Owner name: BARCLAYS BANK PLC, AS COLLATERAL AGENT, NEW YORK

Free format text: NOTICE AND CONFIRMATION OF GRANT OF SECURITY INTEREST IN PATENTS;ASSIGNOR:SYNIVERSE TECHNOLOGIES, LLC;REEL/FRAME:060072/0598

Effective date: 20220513